Security & compliance · Poznań, Poland

Security you can measure and trust.

Comtis is an independent security consultancy. We help organisations achieve and maintain PCI DSS and ISO/IEC 27001 compliance, and we verify the resilience of their systems through professional penetration testing.

PCI DSS ISO/IEC 27001 PCI SSF Penetration testing Since 2019
Standards we work with
PCI DSS PCI SSF PCI 3DS ISO/IEC 27001 OWASP

Security & compliance services

From compliance strategy to hands-on verification — focused expertise across four areas.

PCI DSS compliance assessments

Assessments and audits against the Payment Card Industry Data Security Standard, including network segmentation testing and gap analyses — done with a clear understanding of how payment environments work in practice.

PCI DSSSegmentation testingGap analysis

ISO/IEC 27001 advisory

Support in implementing and maintaining Information Security Management Systems based on ISO/IEC 27001 and the broader ISO/IEC 27000 family — from risk assessment to certification readiness.

ISO/IEC 27001ISMSRisk management

Penetration testing

Controlled security testing of infrastructure, web applications, and cloud environments. Findings come with severity ratings, evidence, and remediation guidance that engineering teams can act on.

InfrastructureWeb applicationsCloud

PCI Software Security Framework

Advisory for payment software vendors on meeting the requirements of the PCI Secure Software Standard and the Secure Software Lifecycle (Secure SLC) programmes.

PCI SSFSecure SLCSecure Software

Security expertise without the overhead

Comtis is a deliberately compact practice. Every engagement is handled directly by the expert doing the work — no account managers, no hand-offs. The scope is agreed up front and tailored to what your organisation actually needs.

  • Direct access to the expert throughout the engagement
  • Reports written for both management and engineering teams
  • Secure communication available — Signal, encrypted e-mail
  • Transparent, fixed scope agreed before work begins

Milestones

2019

ISO 27001

Practice established; information security management advisory.

2020

PCI DSS

Payment card industry compliance assessments added.

2022

Penetration testing

Infrastructure and application security testing added.

2023

PCI SSF

Payment software security framework assessments added.

2026

PCI 3DS

3-D Secure environment security assessments added.

FAQ

Frequently asked questions

How long does a PCI DSS assessment take?

It depends on the size and complexity of the cardholder data environment. A typical assessment takes two to six weeks — from the opening workshop, through testing and documentation review, to the final report. The exact schedule is agreed before work begins.

What is the difference between a penetration test and a vulnerability scan?

A vulnerability scan is an automated check for known weaknesses. A penetration test goes further: an expert manually verifies and chains vulnerabilities, attempting to actually break through defences — the way a real attacker would. The result is a report with evidence and remediation priorities, not just a list of alerts.

Do you work with companies outside Poland?

Yes. We work in Polish and English, remotely and on site — mainly across Europe. Documentation and reports are delivered in the language of your choice.

Where should we start if we are not sure what we need?

With a short conversation. We usually suggest a gap analysis, which shows where you stand against the requirements of the standard and what realistically needs to be done. Based on that, we agree the scope of further work.

Let's talk about your security

Enquiries are answered within one business day. For sensitive matters, secure channels are available on request.

Office

Poznań, Poland

Secure messaging

Signal: ch3ch3.86