PCI DSS Certification Preparation

€55K Monthly Fine - Online Store Story

An online store with €2.5M annual revenue was fined €55K by acquirer for PCI DSS non-compliance. After 3 months without remediation - lost ability to accept card payments. Company went bankrupt within 6 months.

Without PCI DSS compliance:

• Fines from $5,000 to $100,000 per month from card organizations
• Increased transaction fees (up to 0.5% higher)
• Risk of losing ability to accept card payments
• Liability for card data breach - card replacement costs can reach millions

From CDE Scoping to Attestation of Compliance

We don’t leave you with a long list of requirements to meet. We guide you through the entire process - from defining cardholder data environment scope to obtaining AOC (Attestation of Compliance).

What you get:

• CDE scoping - precise determination of which systems process card data
• Compliance assessment against all 12 PCI DSS 4.0 requirements
• Implementation plan for missing controls with priorities
• Technical security implementation (segmentation, encryption, monitoring)
• Security policy and procedure preparation
• Self-Assessment Questionnaire (SAQ) appropriate for your business type
• Penetration testing and ASV scanning coordination
• Support during QSA audit (for Merchant Level 1 and 2)
• Attestation of Compliance (AOC) for bank submission

Who Is It For?

This service is for you if:

• You accept card payments (e-commerce, POS, call center)
• You’re required by bank/acquirer to obtain PCI DSS
• You process, store or transmit payment card data
• You’re a payment service provider or payment processor
• You want to lower transaction fees and avoid fines

PCI DSS Requirements

12 Payment Card Industry Data Security Standard Requirements

PCI DSS 4.0 defines 12 core requirements in 6 goals:

Build and Maintain Secure Network:

1. Firewall configuration for card data protection
2. Change default passwords and parameters

Protect Cardholder Data: 3. Protect stored card data 4. Encrypt transmission over public networks

Maintain Vulnerability Management: 5. Malware protection 6. Secure systems and applications

Implement Strong Access Control: 7. Restrict data access by need-to-know 8. Authenticate system access 9. Restrict physical access

Monitor and Test Networks: 10. Log and monitor data access 11. Regular security testing

Maintain Information Security Policy: 12. Information security policy

SAQ Types

Which SAQ is Right for You?

SAQ Type	Who	Complexity
SAQ A	E-commerce with redirect to PSP	Simplest
SAQ A-EP	E-commerce with payment page elements	Low
SAQ B	Imprint machines, standalone terminals	Low
SAQ B-IP	IP-connected terminals	Medium
SAQ C	Payment applications	Medium
SAQ C-VT	Virtual terminal (manual entry)	Low
SAQ P2PE	P2PE-validated payment solutions	Low
SAQ D Merchant	All other merchants	Full scope
SAQ D SP	Service providers	Full scope

Compliance Process

Step by Step to Certification

Phase 1: Scoping (1-2 weeks)

• Identify all systems processing card data
• Map data flows (where card data goes)
• Define CDE boundaries
• Identify connected systems

Phase 2: Gap Analysis (2-3 weeks)

• Assessment against all 12 requirements
• Technical configuration review
• Policy and procedure review
• Gap documentation and risk assessment

Phase 3: Remediation (4-12 weeks)

• Technical control implementation
• Network segmentation
• Encryption implementation
• Access control hardening
• Logging and monitoring setup
• Policy and procedure development

Phase 4: Validation (2-4 weeks)

• Internal penetration testing
• ASV external scanning
• SAQ completion
• Evidence collection

Phase 5: Audit/Certification (1-4 weeks)

• QSA on-site audit (if required)
• Finding remediation
• AOC issuance
• Submission to acquirer

Key Technical Requirements

What You Need to Implement

Network Security:

• Firewall protecting CDE
• DMZ for public-facing systems
• Network segmentation
• Wireless security (if applicable)

Data Protection:

• No PAN storage (if possible)
• Strong encryption for stored data (AES-256)
• TLS 1.2+ for transmission
• Key management procedures

Access Control:

• Unique user IDs
• Strong authentication (MFA)
• Role-based access
• Physical access controls

Monitoring:

• Log all access to cardholder data
• Centralized log management
• Daily log review
• Alerting on suspicious activity