PCI compliance.
Built, not just advised.
Payment Card Industry compliance from scoping through to QSA audit. We reduce your cardholder data environment, implement every technical control, and prepare your SAQ or ROC. Engineers who build the controls, not consultants who document the gaps.
Before we implement a single control, we reduce your CDE footprint through segmentation and tokenisation. Smaller scope means lower cost and lower risk.
We implement the controls ourselves. You get a team that configures your firewalls, writes your policies, and closes findings before the QSA arrives.
PCI compliance is a continuous obligation. We set up monitoring, manage quarterly scans, and keep you audit-ready year-round, not just at renewal.
From scoping to certification and beyond.
CDE Scoping and Reduction
Scope · Risk ReductionWe map your cardholder data environment, identify all in-scope systems, and apply network segmentation and tokenisation strategies to shrink your CDE footprint before the audit begins.
- Data flow mapping
- CDE boundary definition
- Network segmentation design
- Tokenisation and encryption review
- Scope reduction roadmap
Gap Analysis and Remediation
Assessment · ImplementationA full gap assessment against PCI DSS v4.0 requirements, followed by hands-on remediation. We implement the missing controls, configure the tooling, and close the findings ourselves.
- PCI DSS v4.0 gap assessment
- Prioritised remediation plan
- Technical control implementation
- Policy and procedure authoring
- Evidence collection framework
SAQ Preparation
Self-Assessment · DocumentationFor merchants and service providers completing a Self-Assessment Questionnaire, we prepare the documentation, implement the required controls, and validate your answers before submission.
- SAQ type selection (A, B, C, D)
- Control implementation
- Evidence pack preparation
- SAQ completion support
- Attestation of Compliance (AoC)
ROC Support and QSA Coordination
Audit · QSA LiaisonFor organisations requiring a Report on Compliance, we prepare your evidence pack, coordinate with your Qualified Security Assessor, and manage the audit process end to end.
- Pre-audit readiness review
- Evidence repository build
- QSA liaison and coordination
- Finding remediation support
- ROC and AoC finalisation
PCI Penetration Testing
Requirement 11 · TestingPCI DSS Requirement 11 mandates annual penetration testing of your CDE. We conduct segmentation testing, external and internal penetration tests, and deliver findings in the format your QSA expects.
- Segmentation testing
- External penetration test
- Internal penetration test
- Application-layer testing
- QSA-ready report
Continuous Compliance and Monitoring
Ongoing · RetainedPCI DSS is not a one-time audit. We implement continuous monitoring, manage quarterly vulnerability scans, and keep your controls current through environment changes and annual reassessments.
- Quarterly ASV scans
- Continuous control monitoring
- Change management integration
- Annual reassessment support
- Compliance dashboard and reporting
Scope. Remediate. Certify. Maintain.
Scope and Gap
We define your CDE, map data flows, and assess your current controls against PCI DSS v4.0 requirements.
Reduce and Remediate
We shrink your CDE footprint, implement missing controls, and close every finding before the QSA arrives.
Evidence and Audit
We build your evidence pack, prepare your SAQ or ROC documentation, and coordinate with your QSA.
Certify and Maintain
You achieve compliance. We stay on for quarterly scans, annual reassessments, and continuous monitoring.
Often paired with PCI DSS.
Ready to achieve PCI DSS compliance?
Book a 30-minute scoping call. We will assess your current CDE, estimate the sprint timeline, and give you a clear path to PCI DSS v4.0 compliance with engineering included.