PCI DSS
Mandatory security requirements for organizations that store, process, or transmit cardholder data.
Overview
PCI DSS is a contractual requirement enforced by the payment card brands for any organization handling cardholder data. Version 4.0 introduces expanded requirements around authentication, encryption, and continuous security monitoring, with a phased compliance timeline for new requirements.
Key Requirements
- Network segmentation and cardholder data environment (CDE) scoping
- Quarterly vulnerability scans by an Approved Scanning Vendor (ASV)
- Annual penetration testing of the CDE
- Strong authentication (MFA) for all CDE access
Who Needs This
- • E-commerce merchants and payment processors
- • Retailers operating point-of-sale systems
- • SaaS platforms embedding payment processing
Typical Timeline
8-12 weeks for SAQ-level compliance; longer for full Report on Compliance (ROC)
Our Approach
CDE scoping and segmentation validation
Required quarterly scans and annual penetration testing
Gap assessment against SAQ or Report on Compliance requirements
Remediation support ahead of assessor engagement
Ready to pursue PCI DSS readiness?
Talk to our GRC advisory team about a scoped gap assessment for your organization.