Full-cycle advisory for merchants, payment processors and service providers handling card payment data. We take you from CDE scoping and gap assessment through SAQ completion or QSA-assisted ROC to your Attestation of Compliance — and keep you compliant quarterly thereafter.
The Payment Card Industry Data Security Standard (PCI DSS) is a global security framework governed by the PCI Security Standards Council, mandated by all five major card brands above. It applies to every entity that stores, processes or transmits Primary Account Numbers (PANs) — including merchants, payment service providers, acquirers and SaaS platforms with embedded payments.
PCI DSS v4.0 replaced v3.2.1 in March 2024, with six previously "best practice" requirements becoming mandatory from March 2025. The standard now covers 259 sub-requirements across 12 top-level requirements.
Indian context: RBI's Payment Aggregator and Payment Gateway guidelines (2020, updated 2022) explicitly require PCI DSS compliance for all entities handling card data. NPCI also references PCI DSS for card network participants. Non-compliance risks PA/PG licence revocation.
PCI DSS compliance starts with correctly defining your CDE — the systems, people and processes that store, process or transmit cardholder data. Getting the scope wrong is the single biggest cause of failed audits.
Scope reduction strategy: The most effective way to reduce PCI DSS burden is network segmentation and tokenisation. If your systems receive only payment tokens (never raw PANs), they are out of scope. We help you design your architecture to legitimately minimise scope — reducing effort, cost and audit risk significantly.
PCI DSS v4.0 organises 259 sub-requirements across 12 top-level requirements grouped under 6 control goals. We assess, implement and evidence all of them.
Firewalls / NSCs between untrusted networks and CDE. Documented NSC rulesets. Bi-annual ruleset review. Inbound and outbound traffic restricted to what is necessary for cardholder data environment. All other traffic explicitly denied.
No vendor-supplied default passwords. Documented configuration standards for all in-scope systems. Disable all unnecessary services, ports and protocols. System component inventory maintained. Wireless environments secured and inventoried.
Data retention and disposal policy. PAN storage minimised — never store SAD (CVV2/CVC2, PIN blocks, full magnetic stripe) post-authorisation. Stored PAN rendered unreadable using AES-256 or strong one-way hash. Truncation or tokenisation. Cryptographic key management procedures. v4.0 NEW Disk-level encryption no longer sufficient alone.
TLS 1.2 minimum (TLS 1.3 recommended) for all PAN transmission over open/public networks. SSL and early TLS prohibited. Certificate management. Wireless networks use WPA3 or WPA2 with AES. v4.0 NEW Inventory of all trusted keys and certificates required.
Anti-malware deployed on all systems susceptible to malicious software. Updated anti-malware mechanisms. Periodic evaluations for systems not commonly affected by malware. Anti-phishing mechanisms. v4.0 NEW Anti-phishing technology required for email protection.
Security in SDLC. Vulnerability management and patch process (critical patches within 1 month). Web application protection (WAF or code review). Bespoke software development standards. v4.0 MANDATORY Req 6.4.3: Payment page script inventory and integrity control. Req 6.3.3: All software components protected from known vulnerabilities.
Access control system with default deny-all. All access documented with business justification. Role-based access control (RBAC). Quarterly review of user access rights. Access for third-party/contractors controlled and monitored.
Unique user IDs. Password complexity (min 12 characters in v4.0). Account lockout after 10 failures. Session timeout after 15 minutes. v4.0 MANDATORY MFA required for ALL CDE access (not just remote). Service accounts documented and reviewed. Passwords hashed with strong one-way function.
Physical access controls to CDE facilities. Visitor access procedures and logs. Media controls for devices containing cardholder data. Point-of-interaction (POI) device protection — inventory, periodic inspection for tampering, training staff to detect skimming devices.
Audit logs for all CDE access. Log content requirements (user ID, event type, date/time, success/failure, origination, affected component). Log protection from modification. Daily log review. Log retention minimum 12 months (3 months immediately available). v4.0 MANDATORY Automated mechanisms for log review and anomaly detection (Req 10.7.3).
Wireless access point scanning (quarterly). ASV external vulnerability scanning (quarterly, certified ASV vendor). Internal vulnerability scanning (quarterly). Penetration testing annually and after significant changes — internal and external, plus segmentation test. File integrity monitoring (FIM). v4.0 MANDATORY Req 11.6.1: Automated change and tamper-detection mechanism for payment pages, evaluated weekly.
Comprehensive information security policy reviewed annually. Acceptable use policy. Risk assessment process (Req 12.3). Targeted risk analysis for flexible controls (Req 12.3.2). Operational security procedures. Cryptographic algorithm inventory (Req 12.3.3). Third-party / service provider management programme (Req 12.8). Incident response plan with defined roles, tested annually (Req 12.10). Security awareness programme for all personnel — at hire and annually (Req 12.6).
These requirements were "best practice" in PCI DSS v4.0 but became mandatory from 31 March 2025. If you were compliant under v3.2.1 and haven't addressed these, you are now out of compliance.
Every script loaded on your payment page must be documented in an authorised inventory with a business justification. Each script must have a method to confirm it has not been tampered with (e.g. subresource integrity hash). No unauthorised scripts permitted.
A mechanism must be deployed to detect unauthorised modifications to payment page HTTP headers and script contents. Evaluation must occur at minimum once every 7 days — catching Magecart / web-skimming attacks in near real-time.
Multi-factor authentication is now mandatory for all interactive user access to the CDE — not just remote access. Any user logging into a server, database or system within the CDE must use MFA regardless of whether access is from inside or outside the network.
Failures of critical security controls (NSC, IDS/IPS, FIM, anti-malware, audit logs, access controls, segmentation controls) must be detected promptly and responded to. Manual periodic checks are no longer sufficient — automated alerting is required.
Where an entity uses the "customised approach" (flexible control design instead of prescriptive controls), a documented targeted risk analysis must demonstrate that each customised control achieves the stated security objective at least as effectively as the standard requirement.
A documented inventory of all cryptographic cipher suites, protocols and algorithms in use must be maintained and reviewed at least annually against current industry guidance and emerging threats. Plans for migrating away from weak algorithms must be documented.
Choosing the wrong SAQ is a common mistake that either leaves you under-compliant or forces unnecessary work. The correct SAQ depends entirely on how card payments flow through your environment.
Card-not-present merchants (e-commerce, mail/phone order) who have fully outsourced all payment functions to PCI DSS validated third parties. Your website only redirects customers to the payment processor.
E-commerce merchants whose website does not directly receive cardholder data but uses a payment page that could be modified to intercept data (e.g. iframes that load third-party scripts on your domain).
Face-to-face merchants using standalone, IP-connected POS terminals (EFTPOS machines) certified to PTS. No electronic storage of cardholder data. Terminal communicates directly to processor.
All merchants not qualifying for SAQ A–C-VT, and all service providers eligible for SAQ assessment. If you store PANs, run your own payment application, or have complex card data environments — this is your SAQ.
SAQ C, SAQ C-VT and SAQ P2PE are also available for specific environments. We identify the correct SAQ for your setup during the scoping engagement.
Map all cardholder data flows: where PANs enter, how they move, where they are stored, how they are transmitted and who touches them. Identify all in-scope system components. Assess network segmentation effectiveness. Determine applicable Merchant Level and SAQ type. Produce a formal CDE scoping document with network diagram.
Structured assessment of your current controls against every PCI DSS v4.0 sub-requirement. Each gap rated by effort, risk and priority. Explicit attention to the six new March 2025 mandatory requirements. Output: gap assessment report with prioritised remediation plan and effort estimates for each control deficiency.
Hands-on support implementing: network segmentation and firewall rules, TLS 1.2/1.3 enforcement, MFA deployment for CDE access, access control and IAM procedures, log management and SIEM configuration, anti-malware and patch management, payment page script inventory (Req 6.4.3), tamper detection mechanism (Req 11.6.1), and PCI-required policy suite (Req 12).
For SAQ merchants: complete the correct SAQ with documented evidence for every "Yes" response. For Level 1 merchants or those requiring ROC: prepare the full Report on Compliance evidence pack — system descriptions, control documentation, test results and management attestations. QSA liaison and audit coordination.
Coordinate quarterly external vulnerability scans with an Approved Scanning Vendor (ASV). Scope and commission annual penetration tests (internal network, external perimeter, web application). Segmentation testing to validate CDE isolation. Remediate and re-scan all high/critical findings. Produce passing scan reports for your Acquiring Bank.
Finalise and sign the Attestation of Compliance (AOC). Submit completed SAQ/ROC and AOC to your acquirer and card brands as required. Establish quarterly scan schedule and annual audit calendar. Optional: retainer for continuous compliance monitoring, quarterly internal assessments, staff re-training and regulatory update tracking.
Every engagement produces audit-ready documents and evidence artefacts that you retain permanently — not just a compliance certificate that expires.
PCI DSS + ISO 27001 together: If you're also pursuing ISO 27001, combining both programmes under one engagement reduces effort by 30–40%. Shared policies, shared risk assessment, shared internal audit — one programme, two certifications. Explore ISO 27001 →
Whether you're a Level 4 merchant completing your first SAQ, a fintech navigating RBI's PA/PG guidelines, or a Level 1 processor preparing for a full QSA ROC — we bring the expertise to get you there efficiently and confidently.