PCI DSS
Compliance Readiness

Helping organizations that handle cardholder data meet PCI DSS requirements without the guesswork.

PCI DSS Compliance

Overview

PCI DSS is the security standard that governs how organizations handle, process, and store payment card data. Whether you're a merchant, service provider, or technology vendor in the payment ecosystem, non-compliance exposes you to fines, card brand penalties, and direct liability in the event of a breach. We help you understand exactly where you stand, close the gaps that matter most, and walk into your next assessment with confidence.

A retailer came to us after their acquiring bank flagged them for a compliance deadline. They had been processing cards for years assuming their payment processor covered everything. It didn't. Scope misunderstanding is one of the most common and costly PCI mistakes — and it's entirely preventable.

Scoping & Gap Analysis

We identify which systems, networks, and processes fall within your cardholder data environment (CDE) and assess your current controls against PCI DSS v4.0 requirements. You get a clear, prioritized gap report (not a sales pitch for the longest remediation engagement possible).

Remediation Guidance

We work through your gaps with a practical remediation plan prioritized by risk and business impact. We explain what needs to change, where compensating controls may apply, and how to implement fixes your team can actually sustain over time.

Assessment Preparation & Support

We prepare your documentation, evidence package, and team for your QSA assessment or self-assessment questionnaire (SAQ). We close the readiness gaps before the assessor shows up so there are no surprises.

PCI DSS v4.0 introduced new requirements with multi-year implementation timelines. If you haven't reviewed your compliance posture since the transition, now is the time.

What You Can Expect

  • Cardholder data environment (CDE) scoping review
  • Gap analysis against PCI DSS v4.0 requirements
  • Prioritized remediation roadmap with practical guidance
  • Support for SAQ completion or QSA engagement preparation
  • Executive summary suitable for board or acquiring bank reporting

Building the policy foundation first? Our Policy & Procedure Development service establishes the governance framework that PCI DSS compliance depends on.

Who This Is For

  • Merchants and service providers that process, store, or transmit payment card data and have never formally assessed their PCI DSS compliance posture
  • Organizations flagged by their acquiring bank or card brand for a compliance deadline or remediation requirement
  • Companies that have grown and are unsure whether their current security controls meet PCI DSS v4.0 requirements
  • Technology vendors in the payment ecosystem that need to demonstrate compliance to enterprise customers or partners
  • Businesses preparing for a QSA assessment and wanting to close gaps before the assessor arrives

Common Questions

Who is required to comply with PCI DSS?

Any organization that accepts, processes, stores, or transmits credit card data is required to comply with PCI DSS. This includes merchants of all sizes, payment processors, service providers, and technology vendors that touch cardholder data environments. The specific validation requirements (SAQ type or QSA assessment) depend on transaction volume and how cardholder data flows through your environment. Scope misunderstanding is one of the most common and costly PCI mistakes — assuming your payment processor handles compliance on your behalf is rarely accurate.

What is the difference between a SAQ and a QSA assessment?

A Self-Assessment Questionnaire (SAQ) is a self-reported compliance validation completed by merchants and service providers that qualify based on how they accept payments and their transaction volume. A Qualified Security Assessor (QSA) is an independent, PCI-certified third party required for large merchants and certain service providers — they conduct an on-site audit and produce a Report on Compliance (ROC).

There are several SAQ types, each applying to a specific payment acceptance scenario:

  • SAQ A — Card-not-present merchants (e-commerce, mail, or phone) that have fully outsourced all cardholder data functions to a PCI-compliant third party. No cardholder data is stored, processed, or transmitted on your systems or premises.
  • SAQ A-EP — E-commerce merchants that outsource payment processing but whose website directly affects how the payment page loads or behaves. More controls than SAQ A because your site is part of the payment flow.
  • SAQ B — Merchants using only imprint machines or standalone dial-out terminals. No electronic cardholder data storage.
  • SAQ B-IP — Merchants using standalone IP-connected payment terminals that are PCI-listed and do not transmit cardholder data over your internal network.
  • SAQ C — Merchants with payment systems connected to the internet, but no electronic cardholder data storage. Typically applies to POS systems with an internet connection.
  • SAQ C-VT — Merchants that process payments through a web browser using a virtual terminal provided by a third party. Applies only when a single employee at a time enters card data manually.
  • SAQ D (Merchant) — All merchants that don't qualify for any of the above. The most comprehensive SAQ, covering all 12 PCI DSS requirement areas.
  • SAQ D (Service Provider) — Service providers that are eligible for SAQ validation. Broader in scope than the merchant version.

Choosing the wrong SAQ type is a common mistake that can leave real gaps in your compliance posture (and in some cases, waste time due to unneeded complexity). We help you determine which SAQ applies to your specific environment and prepare the documentation to complete it accurately.

What are the PCI DSS merchant levels and how do they affect my compliance requirements?

PCI DSS merchant levels are assigned by card brands (Visa, Mastercard, etc.) based on your annual transaction volume. Your level determines what validation you're required to complete.

  • Level 1 — More than 6 million transactions per year (or any merchant that has experienced a breach). Requires an annual on-site audit by a QSA and a quarterly network scan.
  • Level 2 — 1 to 6 million transactions per year. Requires an annual SAQ and quarterly network scan.
  • Level 3 — 20,000 to 1 million e-commerce transactions per year. Requires an annual SAQ and quarterly network scan.
  • Level 4 — Fewer than 20,000 e-commerce transactions, or up to 1 million transactions across all other channels. Annual SAQ recommended; network scans may be required depending on your acquiring bank.

Your acquiring bank (the bank that processes your card payments) enforces these requirements and sets deadlines. If you're unsure what level applies to you, that's one of the first things we establish in a scoping engagement.

What changed in PCI DSS v4.0?

PCI DSS v4.0, effective March 2024, introduced over 60 new requirements (many with implementation deadlines through March 2025 and beyond). Key changes include expanded multi-factor authentication requirements, enhanced phishing protection, stricter password requirements, new requirements for targeted risk analysis, and updated e-commerce and phishing controls. Organizations that completed a PCI compliance assessment under version 3.2.1 need to review their posture against v4.0 requirements to confirm they remain compliant.

Ask A Question Book a Discovery Call