Certified PCI DSS QSA Compliance & Audit Services

PCI DSS (Payment Card Industry Data Security Standard) is a global security framework mandatory for any organisation that processes, stores, or transmits credit/debit cardholder data. It defines 12 requirements across network security, access control, encryption, monitoring, and policy — non-compliance can result in fines, card-brand penalties, and breach liability.

Yes. Any organisation that stores, processes, or transmits cardholder data must comply with PCI DSS, regardless of size or transaction volume. Engaging a PCI Qualified Security Assessor (QSA) or a PCI-certified assessor ensures your PCI DSS audit and compliance audit meet all required standards.

A PCI Qualified Security Assessor (QSA) is an independent, PCI SSC-certified auditor who evaluates your cardholder data environment against all 12 PCI DSS requirements, produces the Report on Compliance (ROC), and signs the Attestation of Compliance (AOC) — the documents your acquiring bank and card brands require.

The 12 PCI DSS requirements cover: (1) install and maintain network security controls, (2) apply secure configurations, (3) protect stored account data, (4) protect cardholder data in transit, (5) protect all systems against malware, (6) develop and maintain secure systems, (7) restrict access by business need, (8) identify users and authenticate access, (9) restrict physical access, (10) log and monitor all access, (11) test security regularly, and (12) maintain an information security policy.

Merchants are categorised into four levels based on annual transaction volume. Level 1 (>6 million transactions/year) requires a full QSA-led ROC. Levels 2–4 (lower volumes) may self-assess using a SAQ, though acquiring banks often require a QSA for Level 2. Service providers follow a separate two-level classification.

Timeline depends on your current security posture and merchant level. A Level 1 ROC assessment typically takes 8–16 weeks end-to-end: 2–4 weeks for gap assessment and remediation planning, 4–8 weeks for control evidence collection, and 2–4 weeks for report drafting and QSA review. SAQ-based certifications for smaller merchants can be completed in 2–4 weeks.

PCI DSS applies to entities that handle cardholder data (merchants, service providers). PA-DSS (now retired and replaced by PCI SSF) applied to payment application vendors. PCI SSF (Secure Software Framework) is the current standard for payment software developers — it includes the Secure Software Standard (S3) and the Secure Lifecycle Standard (SLC).

A ROC is a full QSA-authored compliance report required for Level 1 merchants and high-risk service providers. An SAQ is a self-certification questionnaire available in multiple variants (SAQ A, B, C, D, etc.) for lower-volume merchants, where no on-site QSA audit is mandated — though a QSA can assist with SAQ completion.

Failing a PCI assessment results in a gap report detailing non-compliant controls. You are given a remediation period to fix the gaps before a re-assessment. Continued non-compliance can trigger fines from card brands ($5,000–$100,000/month), increased transaction fees, and in a data breach scenario, liability for fraud losses and forensic investigation costs.

Yes. PCI DSS v4.0 explicitly addresses cloud environments. Your cloud provider (AWS, GCP, Azure) may hold certain controls under a shared responsibility model, but you remain responsible for controls in your application layer, access management, and data handling. Your QSA will scope the assessment to include your cloud components and review the provider's PCI-validated Shared Responsibility Matrix.

Cost varies significantly by scope and merchant level. SAQ-based self-assessments with QSA guidance typically range from $3,000–$15,000. A full Level 1 ROC engagement ranges from $20,000–$70,000+ depending on environment complexity, number of locations, and required remediation. Annual ASV scanning, penetration testing, and training are ongoing costs beyond the audit itself.

PCI Approved Scanning Vendor (ASV) scanning is mandatory for merchants and service providers with internet-facing systems in scope. ASV scans must be conducted quarterly by a PCI SSC-approved scanning vendor. Passing scan reports are required evidence for SAQ submission and ROC completion. Internal vulnerability scans are an additional separate requirement.

PCI DSS v4.0, effective since March 2024, introduced a customised approach option allowing organisations to meet the intent of each requirement with alternative controls, enhanced multi-factor authentication requirements, expanded e-commerce and phishing protections, and 64 new future-dated requirements (now mandatory from March 2025). V3.2.1 was retired on 31 March 2024.

PCI DSS v4.0.1 refines specific compliance requirements around multi-factor authentication (MFA) exceptions, restricts the 30-day critical patch windows explicitly to high-risk vulnerabilities, and clarifies script governance configurations, making validations smoother for SaaS environments.