Services
PCI DSS v4.0.1 is the only valid version, and the 'future-dated' new requirements became mandatory on 31 March 2025 — including authenticated internal scans, MFA into the CDE, automated log review, and the script-integrity controls that catch every SAQ A-EP merchant out. We scope your cardholder data environment, push you down the SAQ ladder (A, A-EP, B, B-IP, C, C-VT, D, P2PE) with tokenisation, redirect and P2PE architectures, implement the 12 requirements across network, encryption, IAM, logging, secure development and vendor management, and run the QSA/ISA/ASV relationships. Engineering-grade controls, QSA-defensible scope memos. Scoping from 6,000 EUR.
The cheapest PCI DSS programme is the one with the smallest scope. The most expensive is the one where a single uncontrolled HTML form on the marketing site drags the entire web stack into the CDE. We start every engagement with a written scoping memo that your acquirer's QSA will accept, then design the architecture that keeps cardholder data out of systems that do not need it — tokenisation vaults, redirect-only checkout, P2PE terminals, segmented CDE behind documented firewall rules. The result: fewer controls to maintain, faster audits, and a security posture that survives v4.0.1 enforcement.
Written cardholder data environment map: every system that stores/processes/transmits PAN, every connected-to system, every out-of-scope justification. SAQ-eligibility decision and the architecture changes that move you down the SAQ ladder.
Req 1 firewall standards, Req 2 hardening, dedicated VPC/subnets for the CDE with documented ingress/egress, jump host with MFA, segmentation testing per Req 11.4.5 (annually for merchants, every 6 months for service providers).
Req 3 PAN storage with strong cryptography (AES-256, FIPS 140-2/3 validated), Req 4 transmission TLS 1.2+ with strong ciphers, key lifecycle per Req 3.7, split knowledge and dual control for key custodians, KMS-backed envelope encryption.
Req 6 secure SDLC: threat modelling, secure coding training, code review, SAST/DAST integration, dependency scanning, change-management workflow, OWASP Top 10 testing, and the v4.0.1 web-tier script integrity controls (Req 6.4.3 + 11.6.1).
Req 10 audit logging with the v4.0.1 automated log review (Req 10.4.1.1), 1 year retention (3 months immediately accessible), FIM (Req 11.5), IDS/IPS (Req 11.5.1), file integrity monitoring, and the alert-to-on-call workflow.
SAQ completion (A, A-EP, B, B-IP, C, C-VT, D, P2PE) or RoC support, AOC sign-off, QSA liaison, ASV quarterly scan oversight (Req 11.3.2), annual penetration test (Req 11.4.3), targeted risk analyses for every v4.0.1 customised approach.
Weeks 1–3: CDE inventory, SAQ-eligibility decision, scope-reduction architecture (tokenisation, redirect, P2PE), gap analysis against the applicable controls, remediation roadmap signed by the security officer.
Weeks 4–6: stand up the segmented CDE, deploy tokenisation/redirect architecture, isolate connected-to systems, document the data flow and firewall rules, and run the first segmentation test.
Weeks 6–12: MFA into the CDE, encryption and key management, logging and automated review, secure SDLC, vendor management, script controls, and the PCI policy pack mapped to the 12 requirements.
Year-round: quarterly ASV scans, annual penetration test, segmentation testing, targeted risk-analysis refresh, SAQ completion / RoC support, and AOC sign-off. v4.0.1 customised-approach documentation kept current.
Two to three weeks, fixed scope. CDE mapping, SAQ-eligibility decision, scope-reduction architecture memo (tokenisation, redirect, P2PE), gap analysis against the applicable SAQ controls, remediation roadmap. 6,000 EUR fixed.
Eight to twelve weeks. Network segmentation, MFA, encryption and key management, logging with automated review, secure development, vendor management, web-tier script controls, and the PCI DSS policy pack. 20,000 EUR fixed.
Annual fixed engagement. ASV scan oversight (quarterly throughout the year), targeted risk-analysis refresh, annual penetration test coordination, segmentation testing, SAQ completion and AOC sign-off support. 4,500 EUR fixed/year.
QSA Report on Compliance (RoC) audit fees billed separately by the QSA firm. ASV scan fees billed separately by the ASV. We work with your incumbent QSA/ASV or introduce vendors from our network. NDA and DPA signed before kickoff.
Payments, lending, neobanks and embedded finance — with PCI DSS scope-minimisation and PSD2 SCA wired into the product architecture from day one.
Read more →
Segmented AWS/GCP/Azure landing zones with FIPS-validated KMS, immutable logging, SCP guardrails — the infrastructure layer of the CDE.
Read more →
Multi-tenant SaaS architecture that keeps cardholder data out of tenant code paths via tokenisation, redirect checkout and merchant-of-record patterns.
Read more →GDPR-aligned · ISO 27001 ready · SOC 2 Type II in progress · HIPAA-capable · PCI DSS v4.0.1-current
We read your VPC topology, your Stripe/Adyen/Checkout integration code, and your IAM policies before writing the scoping memo. The architecture decisions hold up because they reflect what the code actually does.
Every hour spent reducing scope saves five hours of audit prep and ten hours of ongoing operations. We default to the smallest defensible CDE and document the carve-outs in language your QSA will accept.
PCI Req 7/8/10/12 overlap with SOC 2 CC, ISO 27001 Annex A, and GDPR Article 32 by ~60%. One evidence library, multiple opinions, no duplicate audit prep.
For QSA selection and RoC preparation we work alongside your acquirer's recommended QSA list or our own network — the deliverable is a clean AOC, not a marketing PDF.
PCI SSC defines nine SAQ types. SAQ A applies to e-commerce/MOTO merchants that fully outsource cardholder data handling to a PCI-validated third party (hosted payment page, full redirect). SAQ A-EP applies to merchants whose website affects payment but does not receive cardholder data (e.g., JavaScript that posts directly to a processor — the new v4.0.1 added requirements around script integrity here). SAQ B is for imprint or standalone dial-out terminals; SAQ B-IP for standalone IP terminals. SAQ C and C-VT are for payment-application systems and virtual terminals. SAQ D is the full 300+ question monster — every service provider and every merchant that stores cardholder data lands here. We work to push you down the SAQ ladder: tokenisation, iframe/redirect patterns, P2PE-validated terminals (SAQ P2PE), and CDE network isolation typically move a Level 2 merchant from SAQ D to SAQ A-EP or SAQ A.
PCI DSS v4.0 superseded v3.2.1 on 31 March 2024; v4.0.1 (errata release) is now the only valid version. The 'future-dated' new requirements became mandatory on 31 March 2025 — these include targeted risk analyses for every requirement that allows flexibility, automated mechanisms for log review (Req 10.4.1.1), authenticated internal vulnerability scans (Req 11.3.1.2), web-tier script integrity controls (Req 6.4.3 and 11.6.1 — critical for SAQ A-EP), MFA for all access into the CDE (Req 8.4.2/8.5), and a documented assignment of every requirement to a role. We close v4.0.1 gaps and document the targeted risk analyses your QSA will ask for.
QSA (Qualified Security Assessor) is an external assessor certified by the PCI SSC to perform Report on Compliance (RoC) audits — required for Level 1 merchants and most Level 1 service providers. ISA (Internal Security Assessor) is an in-house employee certified to perform internal assessments and sign SAQs on behalf of their employer. ASV (Approved Scanning Vendor) is a separate certification for vendors running quarterly external vulnerability scans per Req 11.3.2 — Qualys, Tenable, Rapid7, and others hold ASV status. You typically need an ASV from day one (quarterly scans), and a QSA only if you are Level 1 or a service provider on the brand's mandated list. We are not a QSA or ASV; we are the team that gets you ready for both and runs the relationship.
PCI DSS scope is defined by the cardholder data environment (CDE) — any system that stores, processes or transmits cardholder data, plus connected systems. Tokenisation replaces the PAN with a non-sensitive token issued by a PCI-validated tokenisation service; if PAN never touches your systems (or only touches a tightly bounded vault), most of your stack is descoped. P2PE (Point-to-Point Encryption) is a PCI SSC validated solution that encrypts card data at the terminal hardware with a key your systems cannot decrypt — qualifying merchants drop to SAQ P2PE (~35 controls vs 300+). We design the tokenisation/P2PE architecture, document the scope reduction in a written scoping memo your QSA will accept, and segment the residual CDE behind firewalls/VPC peering with documented flow controls.
Layered: PCI DSS protects cardholder data at rest and in motion; PSD2 Strong Customer Authentication (SCA) governs how a payer authenticates a transaction in the EEA/UK (and EMV 3-D Secure 2.x is the technical protocol that delivers it); GDPR adds personal-data obligations on top of PCI — PAN is personal data under GDPR. SOC 2 CC and C controls overlap with PCI Req 7, 8, 10, 12 by ~60%. We build a single integrated controls map: SCA flows, 3DS exemptions, GDPR Article 6 lawful basis for payment processing, PCI DSS encryption and access controls, and SOC 2 evidence — all aligned so the same control discharges multiple obligations.
Three packages. Scoping is 6,000 EUR fixed (2–3 weeks): CDE mapping, SAQ-eligibility decision, scope-reduction architecture memo (tokenisation, redirect, P2PE), gap analysis against the applicable SAQ controls, remediation roadmap. Implementation is 20,000 EUR fixed (8–12 weeks): network segmentation, MFA on all CDE access, encryption (FIPS 140-2/3), logging per Req 10 with automated review, secure development per Req 6, vendor management per Req 12.8, web-tier script controls per Req 6.4.3/11.6.1, and the PCI DSS policy pack. Annual SAQ Renewal is 4,500 EUR fixed: ASV scan oversight (quarterly throughout the year), targeted risk-analysis refresh, SAQ completion and AOC sign-off support. QSA fees billed separately by the QSA firm.
