PCI DSS, in scope and under control.
The card-brand standard governing every business that stores, processes, or transmits cardholder data. We build the technical environment that survives a QSA's questions.
What PCI DSS actually requires.
PCI DSS is a card-brand standard, not a law, but functionally mandatory if you take cards. Version 4.0 is the current iteration, with the final phase-in deadline already past. The standard organizes 12 high-level requirements into 6 control objectives spanning network security, access control, vulnerability management, monitoring, and policy.
Compliance is annual: a Self-Assessment Questionnaire (SAQ) for smaller merchants, or a Report on Compliance (ROC) from a Qualified Security Assessor (QSA) for higher merchant levels. Quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) sit alongside that.
Build a secure network
Firewalls, segmentation, hardened configurations for systems handling cardholder data.
Protect cardholder data
Encryption at rest and in transit. Don't store what you don't need.
Vulnerability management
Patching, secure development, anti-malware on a cadence.
Access control
Least privilege, unique IDs, physical access restrictions.
Monitor and test
Centralized logging, regular testing, file integrity monitoring.
Maintain security policy
Written policy, workforce awareness, incident response plan.
Who has to comply.
If you accept, store, process, or transmit payment cards in any form, you're in scope. Levels are set by transaction volume:
- Level 1: over 6 million transactions per year (or any merchant that has had a breach). Annual ROC from a QSA and quarterly ASV scans.
- Levels 2 to 4: smaller merchants. Self-Assessment Questionnaire (SAQ A through SAQ D depending on environment) and quarterly ASV scans.
- Service providers: if you store, process, or transmit card data on behalf of merchants, separate stricter requirements apply.
What we implement.
The fastest way to shrink the work is to shrink the scope. Most of what we do focuses on either reducing the cardholder data environment or hardening what remains.
Scope reduction
Tokenization, P2PE, redirected checkouts. Every component we can move out of the CDE removes a control we'd otherwise have to prove.
Network segmentation
Cardholder data environment isolated by VLAN, ACL, or dedicated infrastructure. Documented and tested annually.
Vulnerability management
Internal scanning, ASV-coordinated external scans, patching SLA tracked per asset. Critical CVEs in 30 days, others on schedule.
Logging and monitoring
Centralized log collection from CDE systems, file integrity monitoring on critical files, daily review evidence captured.
Access control and MFA
Unique IDs, role-based access, MFA for all non-console admin and remote access. Quarterly access reviews documented.
Hardened configurations
CIS or vendor-hardening benchmarks applied to OS, network gear, and POS systems. Drift detection.
Who owns what.
On us
- Technical controls across the cardholder data environment
- Vulnerability management cadence and ASV scan coordination
- Centralized logging, monitoring, and file integrity
- Network segmentation testing and documentation
- Evidence collection across the audit window
- Incident response, including in-scope incident reporting to card brands
On you
- Engagement of the QSA (Level 1) or completion of the SAQ (Levels 2 to 4)
- Acquiring bank relationship and reporting
- Workforce security awareness training
- Policy approval (we draft, you adopt)
- Penetration testing engagement (we coordinate)
- Final attestation and signature
Common pitfalls we see.
Scope creep that nobody mapped.
Marketing adds a third-party tag to the checkout page, support uses a SaaS tool that logs partial card numbers, sales takes payments over the phone. Every one of those drags systems into scope. We rebuild the scope diagram from network traffic, not from memory.
Storing CVV "just for refunds."
PCI DSS explicitly forbids storing CVV/CAV2/CVC2 after authorization. We find this in app logs, support tickets, and CRM notes. The fix is technical, not policy.
Quarterly ASV scans with no remediation evidence.
Passing scans without recording the remediation work between them creates an evidence gap. We track every external vuln finding to closure with a written trail.
Treating SAQ A as a get-out-of-jail-free card.
SAQ A applies only to fully outsourced e-commerce with no impact on cardholder data. The moment you add an iframe to a hosted page, you're often SAQ A-EP. We help confirm which SAQ actually applies before you sign one.
Related frameworks.
Most clients running a PCI environment overlap with these.
Let's talk for 30 minutes.
No slides.
Bring your last SAQ, your scope diagram, or an ASV scan you're trying to pass. We'll come back with a written gap analysis, and what it would cost.
- 30-min discovery, no slide deck
- Free written assessment, yours to keep
- A clear proposal, no pressure
Or call us directly: 904-639-0003
Schedule a call →