A complete PCI-DSS compliance programme, from CDE scope reduction and SAQ guidance to network segmentation testing, external ASV scans, and comprehensive QSA audit preparation for merchants and service providers.
PCI-DSS compliance is not optional. Merchants and service providers that store, process, or transmit cardholder data face card brand fines, forensic investigation costs, and loss of card-processing privileges if non-compliant after a breach. Version 4.0 introduces 64 new requirements focussed on multi-factor authentication, e-commerce security, and custom implementation.
Minimise CDE via segmentation, tokenisation, and P2PE/E2EE per Requirement 1 and 3, reducing demonstrable controls for your QSA.
Guided SAQ completion for all types (A through P2PE) with control evidence templates mapped to Requirements 1-12.
Validate segmentation isolates CDE from out-of-scope systems per Requirement 1.3 and scoping guidance.
Gap current controls against all 12 PCI-DSS v4.0 requirement domains, prioritising remediation by risk severity.
Map cardholder data flows across systems, vendors, and payment channels to define precise CDE boundaries per Requirement 3.
Audit payment processors and service providers for PCI-DSS compliance, reviewing AOCs and data handling per Requirement 12.8.
Quarterly ASV scans per Requirement 11.2 across all internet-facing CDE IP addresses and domains.
Annual penetration testing per Requirement 11.4 with internal, external, and segmentation validation components.
Pre-audit readiness review, evidence packaging, and mock QSA assessment to produce a clean Report on Compliance.
Deploy tokenisation per Requirement 3 to replace cardholder data with non-sensitive tokens, reducing CDE scope.
Deploy MFA per Requirement 8 with role-based access controls and privileged access management for CDE systems.
Implement audit logging per Requirement 10 covering all CDE access, administrative actions, and security event correlation.
Ongoing quarterly ASV scans per Requirement 11.2 with remediation tracking and rescan coordination.
Annual penetration testing per Requirement 11.4 with internal, external, and segmentation validation.
Real-time CDE monitoring with file integrity monitoring, IDS, and alerting per Requirements 10 and 11.
Annual SAQ renewal or ROC preparation with updated evidence and acquiring bank submission coordination.
Review CDE changes against all applicable PCI-DSS requirements to maintain compliance posture post-modification.
Annual tabletop exercises for cardholder data breach scenarios aligned with PCI-DSS and card brand notification requirements.
Any merchant accepting Visa, Mastercard, Amex, or Discover payments, whether in-store or online, must comply with PCI-DSS. Level determines assessment type.
Payment processors, gateways, and technology providers that store, process, or transmit cardholder data on behalf of merchants are subject to PCI-DSS as service providers.
Online retailers are particularly exposed to PCI-DSS's new e-commerce requirements covering client-side script integrity and payment page security.
A structured six-phase process from initial CDE scoping through to ongoing annual compliance and ROC/SAQ renewal.
Define CDE scope, identify segmentation opportunities, map card data flows, and gap-assess current controls against all PCI-DSS v4.0 requirements.
Implement tokenisation, P2PE, or network segmentation to minimise CDE scope, then remediate identified control gaps across all twelve requirement domains.
Deploy required controls including MFA, encryption, access management, logging, and vulnerability management aligned to PCI-DSS v4.0 requirements.
Conduct quarterly ASV scans and annual penetration testing with internal, external, and segmentation validation components.
Pre-audit readiness review, evidence packaging, and mock QSA assessment to ensure a smooth on-site audit and clean Report on Compliance (ROC).
Quarterly ASV scans, annual penetration testing, SAQ renewal, ROC maintenance, and continuous monitoring to sustain PCI-DSS compliance year-round.