Home/Services/Audits & Attestation/PCI DSS (QSA-led)

Audits & Attestation

PCI DSS (QSA-led)

Assessment against PCI DSS v4.0 led by a Qualified Security Assessor — from cardholder-data scoping through to the Report on Compliance and Attestation of Compliance.

Request this service → See our approach

Overview

QSA-led validation of your card-data security.

Organisations that store, process or transmit cardholder data must validate compliance with PCI DSS. For many, that means a formal assessment by a Qualified Security Assessor.

We define your cardholder data environment, test each requirement, help close gaps, and produce the Report on Compliance and Attestation of Compliance your acquirer or card brand requires.

What’s covered

The areas this audit examines.

Scoping & segmentation

Defining and minimising the cardholder data environment.

Requirement testing

All twelve PCI DSS requirement areas.

Compensating controls

Validated and documented where applicable.

Evidence & sampling

Across people, process and technology.

RoC & AoC

Formal reporting for your acquirer or card brand.

Who needs this

Who benefits most

Who this engagement is designed to support.

Level 1 merchantsA QSA-led Report on Compliance is typically required.

Payment processors & gatewaysCore PCI scope.

Service providers storing card dataAnnual validation.

Acquirers' portfolio entitiesCard-brand mandates.

E-commerce at scaleHigh transaction volumes.

Anyone required to file a RoCFormal QSA assessment.

Regulatory drivers

Why this is required

Organisations above defined transaction volumes, or required by their acquirer, must validate PCI DSS compliance through a Qualified Security Assessor; the assessment produces the formal evidence acquirers and card brands rely on.

PCI DSS v4.0

Level 1 merchants and many service providers must undergo an annual QSA-led assessment producing a Report on Compliance.

Acquirer requirements

Your acquiring bank sets the validation level and requires the resulting Attestation of Compliance.

Card-brand programmes

Visa, Mastercard and other brands mandate ongoing PCI validation for in-scope entities.

How we work

A disciplined, repeatable method.

A rigorous lifecycle that gives you a result you can stand behind.

Scoping & CDE definition

Defining the cardholder data environment and connected systems.

Gap assessment

Assessing current state against the PCI DSS requirements.

Control validation

Validating controls across the twelve PCI DSS requirements.

Sampling & evidence testing

Sampling systems and testing evidence of compliance.

Remediation tracking

Tracking remediation of gaps through to closure.

ROC & AOC issuance

Issuing the Report on Compliance and Attestation of Compliance.

What you receive

Documentation built for every audience.

Report on Compliance (ROC)The formal QSA assessment report.
Attestation of Compliance (AOC)Your signed attestation for acquirers and card brands.
Requirement-by-requirement matrixStatus against all twelve PCI DSS requirements.
Gap & remediation registerGaps with remediation tracked to closure.
Evidence packThe collected evidence supporting compliance.

Standards & frameworks

Everything here is aligned to your applicable standards and obligations.

PCI DSS v4.0OWASPNISTPCI SSF (where relevant)

Checklist

Are you ready? A quick checklist

What to have in place before we begin.

Cardholder data flows mapped

Scope and segmentation defined

Network diagrams current

In-scope systems inventoried

Compensating controls documented

Evidence repository prepared

Third-party service providers listed

Prior RoC / gaps reviewed

FAQ

Common questions

Do we need a QSA or can we self-assess?

It depends on your transaction volume and acquirer requirements; higher volumes typically require a QSA-led RoC, while others may use a Self-Assessment Questionnaire. We can advise.

What changed in v4.0?

PCI DSS v4.0 introduces new and evolving requirements, a more flexible ‘customised approach’ for meeting them, and a stronger emphasis on continuous rather than point-in-time security. Several requirements were future-dated and became mandatory in 2025. We assess you against the current standard and its timelines so nothing is missed.

Can you help with scope reduction?

Yes. Reducing the size of your cardholder data environment is one of the most effective ways to cut both PCI cost and risk. Through network segmentation, tokenisation and removing unnecessary storage of card data, we shrink the systems in scope so fewer requirements apply and the assessment is faster and cheaper.