PCI-DSS Compliance
Minimise Your CDE. Maximise Compliance Efficiency.
PCI-DSS compliance cost scales with your cardholder data environment size. The most important thing you can do is minimise your scope through effective segmentation - then certify it. We help you with both.
Start Your PCI-DSS Assessment
Why PCI-DSS Compliance Matters
The standard that protects your customers' payment data - and your ability to process it
Reduce Compliance Cost Through Scoping
The size of your CDE determines the cost of your PCI-DSS compliance programme. Effective segmentation can transform a Level 1 assessment into a much simpler SAQ. We find and implement the segmentation controls that shrink your scope.
Avoid Card Brand Penalties & Fines
Non-compliance with PCI-DSS can result in fines from card brands, loss of the ability to process payments, and liability for fraud losses following a breach. Our gap analysis identifies the risks before your QSA or an incident does.
Protect Cardholder Data
PCI-DSS requirements exist because payment card fraud is real and costly. Controls that satisfy PCI-DSS also genuinely protect your customers' cardholder data from the threat actors who specifically target payment environments.
What's Included
Complete PCI-DSS compliance programme from scoping through QSA support
CDE Scoping & Data Flow Mapping
We map every location where cardholder data is stored, processed, or transmitted, and identify every connected system that could impact CDE security. Clear, defensible scope definition is the single most important step - bad scoping makes compliance expensive.
Network Segmentation Design & Testing
Proper segmentation isolates your CDE from out-of-scope systems, dramatically reducing your compliance surface and associated cost. We design segmentation architecture and conduct technical testing to verify controls meet PCI-DSS segmentation requirements.
Gap Analysis Against PCI-DSS v4.0
A requirement-by-requirement gap analysis across all 12 PCI-DSS v4.0 requirements, with each finding categorised by severity and accompanied by specific, actionable remediation guidance aligned to the current standard.
SAQ Guidance & ROC Preparation
We help Level 2-4 merchants select the appropriate Self-Assessment Questionnaire and complete it accurately. For Level 1 merchants requiring a Report on Compliance, we prepare the full documentation package and coordinate with your QSA.
PCI-Scoped Penetration Testing
PCI-DSS Requirement 11.4 mandates annual penetration testing of CDE systems. We conduct PCI-scoped assessments aligned to the PCI DSS Penetration Testing Guidance - covering external perimeter, internal network, and application layers.
QSA Coordination & Audit Support
We organise your evidence, prepare your team for QSA interviews, and remain available as a technical resource during the assessment itself. We've been through enough QSA audits to know exactly what assessors look for.
Our Methodology
Scope minimisation, gap analysis, and audit support - in three phases
Scope & Map
We define the cardholder data environment, map all data flows involving CHD/SAD, and identify all in-scope systems. We then design and test network segmentation that minimises your compliance perimeter.
Gap Analysis & Remediation
We assess all in-scope requirements against your current controls, produce a prioritised gap analysis, and support remediation - including PCI-scoped penetration testing that satisfies Requirement 11.4.
QSA Preparation & Support
We organise evidence packages, prepare your team for interviews, guide SAQ completion or ROC preparation, and remain available throughout the QSA assessment to handle any questions or findings.
Who This Is For
E-Commerce & Marketplace Companies
Any business that stores, processes, or transmits cardholder data is subject to PCI-DSS. If you accept payments directly, you need to understand your scope and comply with the standard.
Payment Service Providers & FinTechs
Service providers that process payments on behalf of merchants carry broader PCI-DSS obligations than the merchants themselves. We help you navigate your specific Level 1 or Level 2 requirements.
Organisations with Previous QSA Findings
If you've received findings or deficiencies from a prior QSA assessment, we help you understand the issues, implement effective remediation, and arrive at your next assessment in a stronger position.
Frequently Asked Questions
Common questions about PCI-DSS compliance
PCI-DSS v4.0 became the only active version in March 2024 after v3.2.1 was retired. Key changes in v4.0 include a customised approach option (allowing alternative controls to meet the intent of requirements), stronger authentication requirements (multi-factor authentication expanded to all non-console admin access), enhanced phishing resistance requirements for personnel, targeted risk analysis mandated for certain requirements, and updated ecommerce/payment page security requirements (Req 6.4). If you're starting a new assessment, you must use v4.0.
Using a payment gateway reduces your scope significantly, but does not eliminate it. Your scope depends on exactly how cardholder data flows through your environment. If you redirect customers completely to your gateway's hosted payment page and never touch cardholder data directly, you may qualify for SAQ A - the most limited scope. But if your application touches payment pages, even just injecting JavaScript, you face SAQ A-EP requirements which are considerably broader. We can determine your exact scope.
Network segmentation means technically isolating your cardholder data environment from the rest of your network so that systems outside the CDE cannot communicate with systems inside it. If you achieve adequate segmentation, the systems outside the CDE are entirely out of PCI-DSS scope - dramatically reducing the number of systems, people, and processes you need to assess. It must be tested at least annually and after any significant changes, which is one of the PCI-scoped penetration tests we perform.
Level 1 service providers and merchants must complete an annual Report on Compliance with a QSA. Level 2+ merchants must complete an annual SAQ and quarterly network scans. All levels require annual penetration testing and quarterly network vulnerability scans. PCI-DSS is an ongoing compliance programme, not a one-time certification - which is why building sustainable processes matters.
Ready to Reduce Your PCI-DSS Scope?
Scoping, segmentation, gap analysis, penetration testing, and QSA preparation - we cover the full programme.
Start Your PCI-DSS Programme