PCI-DSS Compliance
Payment Card Industry Data Security Standard and transaction resilience.
Do you need to comply with PCI DSS?
PCI DSS applies wherever payment card data is handled.
You likely need this if
- You store, process or transmit cardholder data
- You take card payments online, in person or over the phone
- Your acquirer or payment partner is asking for a compliance attestation
- You are unsure how to reduce your scope and the cost of compliance
Not sure where you land? A short scoping call will tell you plainly, including if you do not need this yet.
Book a scoping callWhat is PCI-DSS?
The PCI-DSS (Payment Card Industry Data Security Standard) establishes mandatory cybersecurity requirements for all entities that store, process, or transmit cardholder data. This includes merchants, processors, acquirers, issuers, and service providers.
Our comprehensive service portfolio addresses the standard's core requirements through governance frameworks, continuous security testing, encrypted data management, incident response, and workforce awareness programs. By combining proactive threat detection and resilience validation, organizations can demonstrate compliance with mandatory security measures while building genuine operational resilience against financial cyber threats.
Core Requirements & Our Services
Governance & Risk Management
Establish risk management frameworks and security policies required for entities handling sensitive payment data.
Threat Detection & Monitoring
Support mandatory cybersecurity measures through continuous monitoring and early warning mechanisms for payment environments.
Vulnerability Management
Implement continuous security monitoring, vulnerability scanning, and patch management across all cardholder data environments (CDE).
Penetration Testing
Fulfill annual penetration testing requirements and validate network security measures for compliant entities.
System & Network Hardening
Implement secure configurations, firewall management, and continuous monitoring of endpoints and wireless infrastructure.
Incident Response & Reporting
Fulfill mandatory incident handling requirements with specialized reporting obligations for data breaches.
Human Factor
Fulfill human resources security requirements and mandatory awareness training for personnel with access to cardholder data.
The full PCI-DSS capability set
From SAQ readiness to ongoing monitoring - everything in one programme.
Gap analysis & readiness
Readiness assessment and gap analysis for PCI-DSS validation.
Sector-specific bundles
Service bundles for retail, e-commerce, finance, and fintech.
Incident response & forensics
Incident response readiness and forensic reports for regulators and banks.
Employee training & awareness
Training aligned with PCI-DSS and your HR security clauses.
Continuous monitoring & dashboards
Executive dashboards for real-time compliance status.
- 01 Summary of compliance status (ROC/SAQ readiness). p.2
- 02 Risk overview of the Cardholder Data Environment (CDE). p.4
- 03 Incident handling and response capability. p.6
- 04 Vulnerability and threat posture. p.8
- 05 Actions taken and prioritized next steps. p.10
Take a look inside the board report
This export-ready sample shows how our reporting structure aligns with PCI DSS and can be presented to your board or regulatory body - every section, exactly as they'll see it.
Delivered to your inbox in seconds. No spam.
FAQ - PCI-DSS
Yes. If your business accepts, processes, stores, or transmits payment card data, PCI-DSS compliance is mandatory, regardless of organization size or transaction volume. The Payment Card Industry Data Security Standard applies to all entities handling cardholder data.
However, validation requirements are significantly simpler for low-volume processors: organizations under 1 million annual transactions typically qualify as Level 3 or 4 merchants and can self-validate using Self-Assessment Questionnaires (SAQs) rather than requiring external Qualified Security Assessor (QSA) audits.
PCI-DSS and GDPR are separate but complementary frameworks with distinct scopes.
| Dimension | GDPR | PCI-DSS |
|---|---|---|
| Scope | All personal data of EU citizens | Payment card data only |
| Nature | EU legal regulation (mandatory) | Global industry standard (contractual) |
| Focus | Broad personal data privacy | Cardholder data security specifically |
| Enforcement | National supervisory authorities, fines up to 4% revenue | Acquiring banks, card brands, potential revocation |
Complying with PCI-DSS helps satisfy GDPR's Article 32 security mandates regarding financial data, but GDPR compliance does not waive PCI-DSS requirements. You must implement both frameworks independently.
Not automatically, but using a compliant third-party processor significantly reduces your compliance burden.
Certified processors (Stripe, Adyen, PayPal) handle the heaviest security lifting - storing, processing, and transmitting actual card numbers - placing them in the highest PCI-DSS responsibility category.
However, you still must complete a Self-Assessment Questionnaire (SAQ) to validate that your connection to the gateway is secure. Most e-commerce businesses using fully redirected payment pages qualify for SAQ A (the shortest version, around 20 controls), which confirms:
- No cardholder data touches your systems.
- The payment page fully redirects to the processor.
- Your website does not store, process, or transmit card data.
Non-compliance consequences escalate significantly.
| Consequence | Impact |
|---|---|
| Non-compliance fees | Monthly fines from the acquiring bank |
| Data breach fines | Card brand penalties, forensic costs |
| Transaction revocation | Loss of credit card processing ability |
| Forensic investigation | Mandatory post-breach analysis |
| Reputational damage | Customer trust erosion, brand damage |
If your business suffers a data breach while non-compliant, you face severe fines, mandatory forensic investigation costs, card brand penalties, and potential revocation of credit card processing privileges - effectively shutting down a critical revenue channel.
A Self-Assessment Questionnaire (SAQ) is a validation tool for businesses with lower transaction volumes (Level 3-4 merchants) to self-report PCI-DSS compliance. The specific version depends entirely on your payment processing method:
| SAQ type | Merchant scenario | Controls |
|---|---|---|
| SAQ A | Fully redirected e-commerce (card data goes directly to processor) | ~20 |
| SAQ A-EP | Partially redirected e-commerce (you host some payment page elements) | ~35 |
| SAQ B | Imprint machines or standalone dial-up terminals only | ~15 |
| SAQ B-IP | IP-based terminals (no card data on internal systems) | ~30 |
| SAQ C-VS | Virtual payment terminals (no card data storage) | ~25 |
| SAQ D | All other merchants (card data stored or processed on your systems) | ~120 |
Most local e-commerce sites using fully redirected payment pages (Stripe/PayPal checkout redirects) only need SAQ A - the shortest, simplest version.
Usually, no. Businesses processing fewer than 1 million transactions annually (Level 3 or 4 merchants) typically do not need to hire an external Qualified Security Assessor (QSA), and can self-validate using the appropriate SAQ.
External auditor (QSA) requirements apply only to:
- Level 1 merchants: 6+ million annual transactions (mandatory annual report by a QSA).
- Level 2 merchants: 1-6 million annual transactions (a QSA audit may be required by the acquiring bank).
For small EU businesses under 1 million transactions, SAQ self-assessment is the standard compliance path.
It depends on your technology setup. Quarterly ASV (Approved Scanning Vendor) vulnerability scans are mandatory if:
- Your internal network touches cardholder data.
- Your e-commerce website hosts the payment form directly on your servers (not fully redirected).
- You store any cardholder data on internal systems.
- You use IP-based payment terminals connected to your network.
You likely do not need scans if you use fully redirected payment pages (SAQ A), cardholder data never touches your internal network, or you only use standalone dial-up terminals (SAQ B).
The effort varies significantly based on technology architecture and payment processing method.
| Scenario | Effort | Primary tasks |
|---|---|---|
| Fully redirected (SAQ A) | Minimal | Administrative time, SAQ completion |
| Partial redirect (SAQ A-EP) | Low-medium | Web application security review, SAQ completion |
| ASV scans required | Medium | Quarterly scan coordination, firewall configuration, documentation |
| Card data on internal systems (SAQ D) | High | Full security implementation, staff training, penetration testing, potential QSA audit |
For small businesses, SAQ completion typically takes 5-20 hours depending on whether it is self-done or consultant-assisted.