How The Boxoffice Company achieved compliance harmony and aced PCI-DSS

The Boxoffice Company, with 200+ employees across France, Scotland, Canada, Mexico and the U.S., is a leading provider of media, technology, and data for the global film industry. Its network of media brands reaches millions of movie fans across the U.S., Europe, and Latin America. The organization offers a collection of products, including websites, mobile applications, CRM, and online ticketing solutions, to help discovery platforms, studios, and exhibitors worldwide connect directly with moviegoers and fans.


Key requirements

A compliance partner to define the scope of PCI-DSS compliance, implement and monitor controls, and minimize internal workload, while ensuring seamless, disruption-free operations.

Guided PCI-DSS scoping to right-size Level 1 audit requirements, with milestone-driven platform and security program implementation, asset-level control integration, automated tracking, and time-bound tasks to ensure on-time audit readiness.

PCI-DSS

EU

8 Weeks

time to PCI-DSS L 1 audit readiness

~70%

PCI-DSS control gaps closed within weeks

9 timezones

across which processes were standardized

Ready to get started?

The Challenge: Operationalizing PCI-DSS with minimal scope of work

For Boxoffice, a white-label data solution provider to the movie industry, pressure from clients for an Attestation of Compliance (AoC) with PCI-DSS was the initial impetus for pursuing compliance.

Marine Suttle, Managing Director at The Boxoffice Company spearheaded the team’s efforts to get PCI DSS-compliant, and identified two major challenges to completing this project – 

  1. The team lacked the expertise to take on PCI-DSS compliance. While engineers managed IT safeguards, they lacked experience with the tactical and administrative tasks of compliance. This left them uncertain and stressed about what to prioritize for a successful audit.
  2. After reviewing the PCI-DSS website—often the first stop for beginners—they realized the complexity of maintaining compliance and documentation could easily spiral out of control, disrupting daily operations.

In essence, The Boxoffice Co. team needed a clear and efficient plan to achieve compliance goals. This plan needed to be built on actionable steps, technical expertise, and open communication, while avoiding wasting time on research and documentation.

Taking on PCI DSS felt like we were going camping for the first time. We had no idea what to do or what to bring with us, which was quite stressful. We needed someone to guide us through the process.

The Solution: Expert-backed PCI-DSS scoping and automated compliance

Sprinto’s solution consultants laid out a clear path for Boxoffice to achieve PCI-DSS compliance within their timelines, ensuring minimal disruption to global teams. This, along with Sprinto’s affordability and competitive features made the platform the top choice for Boxoffice.

Sprinto broke down the journey into achievable and practical steps, what to do, and who can do it, showing us how we could achieve PCI-DSS compliance without people dedicated full-time. The platform would do the heavy lifting with our account manager guiding us. This felt reassuring, especially since it meant we wouldn’t have to read thousands of pages on PCI guidelines,” reflects Marine.  

The Boxoffice Company quickly onboarded Sprinto, and a dedicated team got to work scoping out which activities fell under the PCI-DSS. They integrated cloud assets and infrastructure across geos and teams for centralized, automated control monitoring, then focused on rolling out updated policies, employee security training, and a vulnerability disclosure program –each key to PCI-DSS audit, with Sprinto-vetted vendors onboarded for ASV and VAPT. This initial phase took around 6 weeks and got the team 50% of the way to PCI-DSS compliance on Sprinto’s unified control dashboard, having started at ~30% PCI readiness. 

From there, The Boxoffice Company compliance A-team focused on fixing controls and monitoring them until their final PCI-DSS audit. Sprinto simplified this with real-time alerts and emails for any control failures and vulnerabilities. Boxoffice also formed a “PCI committee” made of representatives from legal, HR, Engineering, and Ops teams, to ensure control maintenance and audit readiness – a novel approach for a novel mandate. 

Marine observes, “It takes a village to achieve compliance. With our distributed team across time zones, Sprinto helped us outline clear tasks and timelines, keeping everyone engaged and accountable for their part.” 

Within weeks, the team at The Boxoffice Company was up to 98% PCI-DSS control health on the Sprinto dashboard, and ready for their L 1 audit.


The Results: Security and compliance harmony across distributed teams

“The PCI audit was very easy and fast, Sprinto pre-prepares everything, and auditors get their own dashboard to check evidence. They just went down the list, saw all the green check marks, and it was done,” explains Marine.

The Boxoffice Company’s PCI-DSS audit was unremarkable in the best way. Evidence was collected automatically, clearly linked to PCI control requirements, and pre-reviewed by Sprinto’s in-house experts. 

The result? A swift, spotless audit with few queries for the Boxoffice team. 

Sprinto’s impact, however, stretched beyond just making audits easy on the team. 

The platform helped The Boxoffice Company streamline security operations by surfacing system inefficiencies, allowing them to be smoothed over and standardized. 

The “people” side of operations, in particular, is a prime example. With 200+ employees distributed across 9 time zones, The Boxoffice Company faced a fragmented onboarding process. Sprinto brought much-needed process harmony, aligning their operations with security best practices across the board.

Our HR systems are different in each territory, and there’s no overarching system in place. In the UK it’s SageHR, ADP TotalSource in the U.S., and so on. Sprinto helped us tidy up the onboarding process, because now whenever there’s a new employee they’re added on Sprinto and the security process happens seamlessly,” says Marine.  

Sprinto provided a mechanism for security training, staff device management, and policy acknowledgments, effectively acting as a forcing function for The Boxoffice Company to introduce a “compliance layer” on top of the standard, region-specific operating processes. This layer consisted of updated and uniform IT standards for both privacy and security–essential for demonstrating PCI DSS compliance. 

Today, The Boxoffice Company monitors PCI-DSS as well as GDPR controls on Sprinto, and compliance is a natural part of operations within the organization, enabling The Boxoffice Company to win big and keep the business they’ve won.

Sprinto keeps us honest. Sprinto flags alerts for everything – be it missed scans on an unsecured employee laptop or a new code vulnerability. Even after the PCI audit, Sprinto’s helping us keep the certification.