PCI DSS

Protect cardholder data and achieve PCI DSS v4.0 compliance before the March 2025 deadline.

Get Started →Free Assessment

Key Deliverables

CDE Scoping

12-Requirement Gap Analysis

Penetration Testing

SAQ Completion

QSA Assessment

Remediation Support

Discuss your requirements

Overview

About This Service

PCI DSS v4.0 applies to every organisation that stores, processes, or transmits payment card data — merchants, processors, acquirers, and service providers. We handle scoping, gap analysis, control implementation, penetration testing, and QSA assessment support.

Deliverables

Key Benefits

FAQs Answered

Ready to get started?

Book a free 30-minute discovery call. No commitments.

Talk to an Expert or take our free assessment

PCI DSS Compliance Protecting Payment Card Data Across the Transaction Lifecycle

The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory security standard for any organisation that stores, processes, or transmits payment card data. It is not optional — compliance is required by the card brands (Visa, Mastercard, American Express, Discover, JCB) as a condition of accepting or processing card payments. Version 4.0, released in March 2022, represents the most significant update to the standard in over a decade, with all organisations required to comply with the new requirements by March 2025.

What PCI DSS v4.0 changes

PCI DSS v4.0 introduces a fundamental shift in approach. While previous versions prescribed specific controls, v4.0 introduces a “customised approach” that allows organisations to meet security objectives using alternative methods — provided they can demonstrate equivalent or better security outcomes. This flexibility comes with increased responsibility: organisations using the customised approach must document their control design, perform targeted risk analysis, and demonstrate effectiveness to their assessor.

Key new requirements include multi-factor authentication for all access to the cardholder data environment (not just remote access), automated log review mechanisms, targeted risk analysis for controls with periodic frequencies, enhanced requirements for service provider accountability, stronger e-commerce and anti-phishing protections, and formal security awareness training that addresses current threats.

Who PCI DSS applies to

The standard applies to every entity in the payment card ecosystem. Merchants of all sizes — from large retailers processing millions of transactions to small e-commerce businesses using hosted payment pages. Payment processors and payment service providers that handle card data on behalf of merchants. Acquirers and issuers that process card transactions. Service providers that store, process, or transmit cardholder data, or that could affect the security of cardholder data.

The validation requirements depend on your transaction volume and role. Level 1 merchants and all service providers require an annual Report on Compliance (RoC) from a Qualified Security Assessor (QSA). Smaller merchants may self-assess using the appropriate Self-Assessment Questionnaire (SAQ), but must still implement all applicable controls.

The twelve requirements

PCI DSS is organised around twelve requirements grouped into six control objectives. Install and maintain network security controls. Apply secure configurations to all system components. Protect stored account data. Protect cardholder data with strong cryptography during transmission. Protect all systems and networks from malicious software. Develop and maintain secure systems and software. Restrict access to cardholder data by business need to know. Identify users and authenticate access to system components. Restrict physical access to cardholder data. Log and monitor all access to system components and cardholder data. Test security of systems and networks regularly. Support information security with organisational policies and programmes.

Each requirement contains detailed sub-requirements and testing procedures. Version 4.0 has over 250 individual requirements, many with multiple sub-points.

Scoping — the most critical step

The single most impactful decision in PCI DSS compliance is scoping. The cardholder data environment (CDE) includes all systems that store, process, or transmit cardholder data, plus all systems connected to or that could impact the security of the CDE. Poor scoping — either too broad or too narrow — is the most common source of PCI DSS programme failures. We invest significant effort in scoping because reducing the CDE through network segmentation, tokenisation, and point-to-point encryption directly reduces compliance cost and complexity.

How we help

Our PCI DSS practice covers the full compliance lifecycle. We begin with CDE scoping and network architecture review to identify opportunities to reduce scope. A comprehensive gap analysis against all applicable v4.0 requirements identifies what you have, what you are missing, and what needs to change. We support implementation of technical and administrative controls, conduct or coordinate penetration testing (a PCI DSS requirement), and prepare you for QSA assessment. For merchants eligible for SAQ, we guide the self-assessment process to ensure completeness and accuracy.

Why It Matters

What PCI DSS gives your business

Reduced scope, reduced cost

expert CDE scoping through segmentation and tokenisation shrinks the compliance boundary, directly lowering implementation and assessment costs

v4.0 readiness

full alignment with PCI DSS v4.0 requirements including the new customised approach option, targeted risk analysis, and enhanced authentication controls

Avoid non-compliance penalties

card brands impose escalating fines for non-compliance, and acquiring banks can increase transaction fees or terminate processing agreements

Protect against breach liability

organisations that suffer a card data breach while non-compliant face significantly higher financial exposure, including forensic investigation costs and fraud losses

Streamlined assessment

thorough preparation and evidence organisation reduces QSA assessment time and the likelihood of findings that delay your Report on Compliance

FAQ

Common questions

Can't find what you need? Talk to our team.

Do we need a QSA assessment or can we self-assess?

This depends on your transaction volume and role. Level 1 merchants (over 6 million transactions annually for Visa/Mastercard) and all service providers that store, process, or transmit cardholder data require a QSA-led Report on Compliance. Smaller merchants can typically self-assess using the appropriate SAQ, though some acquirers may require a QSA assessment regardless of volume. We can help determine which validation type applies to you.

How can we reduce our PCI DSS scope?

The most effective scope reduction strategies are network segmentation (isolating the CDE from the rest of your network), tokenisation (replacing card data with non-sensitive tokens), and using PCI-validated point-to-point encryption. For e-commerce, using a PCI-compliant payment service provider with hosted payment pages or iframes can significantly reduce your SAQ scope. We evaluate your architecture and recommend the most cost-effective approach.

What happens if we fail a PCI DSS assessment?

A failed assessment is not uncommon and is not a catastrophe — it means findings were identified that need remediation. You will receive a detailed list of non-compliant requirements and have an agreed timeframe to remediate them. The QSA will then re-test the affected areas. The real risk is operating without a valid compliance attestation, which can result in fines from card brands, increased processing fees, and contractual consequences with your acquiring bank.

Start your PCI DSS journey today.

Every engagement begins with a free discovery call. No commitments, no pressure — just a clear picture of where you stand.

Schedule a Call →Free Assessment

Explore

Other Services

View all

Enterprise ready