Connect with Us


A company’s Information Security Management System should support its business strategy, not constrain it. We put the strategic needs of our clients businesses first, determining the scope of the company’s ISMS so the boundaries can be clearly defined such that the ISMS supports the business’s long-term goals.

The complexity of the business and regulatory landscape is increasing dramatically. Companies are navigating a proliferation of new regulatory requirements and client expectations to safeguard their data, and are challenged to do so in a way that supports performance objectives, sustains value and protects the brand.


Brier & Thorn’s Risk, Audit, and Compliance Practice breaks down the PCI-DSS 3.1 milestones to PCI compliance.


Am I a Merchant or Service Provider?


An organization’s ability to effectively mitigate and capitalize on risk is a growing differentiator in the marketplace with direct impact to business profit and mission effectiveness. In a world of greater complexity introduced by increasing compliance and regulatory oversight that buries organizations under a landslide of regulation, organizations must constantly adapt and quickly get ahead of the regulation and threat.

Brier & Thorn’s Risk, Audit, and Compliance practice positions resilience as a strategic imperative for companies who process and store cardholder data by enabling them to effectively meet the PCI Data Security Standard (PCI-DSS) requirements and successfully pass their annual audits through the development of an Information Security Management System (ISMS). Through an ISMS, our clients are able to address the 6 PCI milestones while meeting international ISO standards through a formal ISMS that achieves a systematic approach to the identification, assessment, and management of information security risks in their enterprise. By meeting PCI requirements through a formal information security program brought under management control, our clients can move beyond just checkbox security and move more into a position of safeguarding consumer data while protecting their brand.

Over the past 10 years, merchants and service providers who process and store cardholder data have increasingly become a target of advanced persistent threats that are looking to monetize stolen cardholder data that these organizations are trusted to safeguard. While still boasting compliance with the PCI-DSS, these organizations were still being compromised and as a result, were heavily affected by negative headlines that impacted consumer confidence. Several breaches recorded during 2014, dubbed “year of the retailer breach,” posed existential threats to the company’s brand through the erosion of this consumer and shareholder confidence.

History has proven that merely being compliant with the PCI-DSS is not enough.

Our ApproachUnsere Methode

Our consultants help organizations achieve leadership in PCI-DSS compliance through a multidimensional approach to achieving compliance for the organization by creating highly customized roadmaps based on their unique circumstances and needs by working with business leaders to initially understand corporate goals and then determine what controls, technological capabilities, systems and support they require to succeed. Just like everything else in business, one size does not fit all in information security. We help clients become more risk resilient by addressing the issues of IT risk management, compliance and regulatory risk management, supply chain resiliency, privacy and data protection, and governance.

Our approach to PCI compliance transformation is guided by four distinctive elements:

  1. Environmental Awareness. The tenets of PCI compliance mainly revolve around understanding the environment, both physical and virtual, comprised of the technology and people assets that are within scope of the PCI-DSS. By understanding the environment first, we are able to fully understand what assets comprise the cardholder data environment (CDE) that must be secured so they can be isolated into a segmented network where PCI in-scope data is processed and stored and access into the CDE can be controlled.
  2. Design. After understanding the environment, our consultants work closely with our client to design a strategy that conforms to the business to ensure that information security imperatives do not have a negative impact on the business. Using environmental awareness, we are able to use the latest and most relevant intelligence to inform strategy for building and operationalizing the ISMS, rather than building upon existing infrastructure and operations that may or may not fit emerging marketplace and regulatory compliance demands.
  3. Build. In ever-changing regulatory environments, whether its PCI, HIPAA, GLB, or others, reactionary quick fixes won’t cut it for long. We help companies create the capacity to continuously innovate through such processes as the Plan, Do, Check, Act (PDCA) Deming Model and learning loops, so that the investments in risk management follow an iterative four-step management method used to control and continuously improve the ISMS that lead to sustainable risk management growth and improvement, even in a tumultuous regulatory environment. This phase implements the designed network architecture of an isolated CDE, implementation of primary controls, and hardening of assets.
  4. Test. Once the build stage has migrated all in-scope assets to an isolated CDE segmented from lower security zones in the enterprise and primary controls have been implemented, effectiveness reviews will be performed of the controls to ensure they are treating risk to an acceptable level in the enterprise and are operating effectively. Further testing will be performed of PCI applications as well as application and network penetration testing, vulnerability scanning, and an ISO 33000 risk assessment. This step ensures all required controls are met so that clients have the right technology foundation in place to support their compliance requirements.
  5. Implement. The best-laid strategy can sink if the business chooses to resist it. In this final element, the ISMS is implemented and operationalized within the organization. Necessary capacity building and training is performed from day one to help clients think about how to drive a cultural mindset shift within the organization, involving change champions to co-create and roll out the plan.

History has proven that merely being compliant with the PCI-DSS is not enough.

Client ResultKundenergebnisse

We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.

Global sports apparel brand kicks up PCI compliance with Brier & Thorn

How Foot Locker, a global sports apparel retailer kicked up its IT risk management program with Brier & Thorn in meeting its PCI compliance requirements of its disparate cardholder data environment.

National Debt Collection Company recovers consumer confidence after divestiture through new PCI compliant Risk Management Program

Brier & Thorn helps transform risk management strategy at Transworld Systems, Inc.; after assisting in its divestiture from EGS as a PCI Level 1 Service Provider to meet regulatory compliance demands in protection of client and consumer cardholder data.