PCI DSS Compliance

Scope your cardholder data environment, implement all 12 requirements, and pass your assessment — whether you qualify for SAQ-A or need a full QSA report on compliance.

The scope problem most SaaS companies don't know they have

Any SaaS company that stores, processes, or transmits cardholder data falls under PCI DSS scope — even if you delegate payment processing to Stripe or another gateway. Scope-reduction through a third-party processor is significant, but rarely complete. Depending on how your integration is built, you may still have in-scope systems, databases, or infrastructure that carry PCI DSS obligations.

PCI DSS v4.0, the current version since March 2024, introduced new requirements around multi-factor authentication, targeted risk analysis, and continuous monitoring. These additions reflect the modern threat landscape — and they apply regardless of your assessment level. Being compliant with the previous version 3.2.1 is no longer sufficient.

Non-compliance carries real financial and operational risk. Card brands can impose fines of up to €100,000 per month for non-compliant merchants and service providers. Loss of payment processing privileges is a secondary consequence that can halt business operations entirely. In the event of a breach, non-compliant organisations also bear liability for fraud losses — a risk that grows with transaction volume.

The most common failure mode we see: a SaaS company assumes "we use Stripe so we're fine" — without ever validating that assumption against the specific integration they built. JavaScript-based payment fields, API calls that pass card metadata, and custom checkout flows all affect scope. Our assessment determines exactly where your scope boundary sits and what obligations flow from it.

Key facts

  • Current version:
    PCI DSS v4.0 (current since March 2024)
  • Core requirements:
    12 requirements across 6 control domains
  • Assessment path:
    SAQ-A to full QSA assessment (scope-dependent)
  • Non-compliance fines:
    Up to €100,000/month from card brands

The 12 requirements

What PCI DSS v4.0 actually requires.

Build & Maintain a Secure Network (Req 1–2)

  • Install and maintain network security controls — firewalls, network segmentation
  • Apply secure configurations to all system components — no vendor defaults

Protect Cardholder Data (Req 3–4)

  • Protect stored cardholder data — encryption, truncation, and data retention policies
  • Protect cardholder data in transit — TLS 1.2+ enforced, no cleartext transmission

Vulnerability Management (Req 5–6)

  • Protect all systems against malware — antivirus, EDR, and anti-phishing controls
  • Develop and maintain secure systems and software — SDLC, patching, code review

Strong Access Controls (Req 7–9)

  • Restrict access to cardholder data — least privilege, need-to-know basis only
  • Identify users and authenticate access — MFA required for all CDE access (v4.0)
  • Restrict physical access to cardholder data — documented and enforced

Monitor & Test Networks (Req 10–11)

  • Log and monitor all access to network resources and cardholder data
  • Test security of systems and networks — quarterly ASV scans, annual penetration test
  • Intrusion detection — alerts on anomalous access patterns within the CDE

Information Security Policy (Req 12)

  • Information security policy — documented, approved by management, reviewed annually
  • Risk assessment — formal methodology, documented annually and on significant change
  • Security awareness training — all personnel, annually, with documented completion

Targeted Risk Analysis (PCI DSS v4.0 new)

  • Formal risk analysis required for each requirement where a customised approach is chosen
  • Documented rationale demonstrating that security objectives are met equivalently

Continuous Compliance

  • Evidence of controls operating effectively over time — not just at the moment of audit
  • Periodic reviews, exception tracking, and control validation on a defined schedule
Recommended path

Scope first. Then implement. Then maintain.

PCI DSS compliance starts with knowing your actual scope. Everything else — the controls, the evidence, the assessment — flows from that. Here is the path we take every client through.

1

Security Assessment

€2,500 · credited toward Sprint

We assess your actual PCI DSS scope — identifying which SAQ level applies or whether a QSA is required — and map all gaps across the 12 requirements. You receive a clear, prioritised remediation roadmap before any implementation work begins. The assessment fee is credited in full toward the Sprint if you proceed.

Learn about the Assessment
2

90-Day Accelerator

€28,000 · fixed scope

We implement all required controls within your scoped cardholder data environment — network segmentation, access controls, encryption, logging, and vulnerability management. We document the cardholder data flow, build your System Security Plan, and produce the evidence pack your QSA or SAQ requires. Fixed scope, fixed price, no surprises.

Learn about the 90-Day Accelerator
3

The Compliance Engine™

From €120/user/mo · ongoing

Continuous compliance operations for your PCI environment — quarterly ASV vulnerability scans, annual penetration testing coordination, access reviews, SIEM log monitoring, and evidence generation for your next assessment cycle. We keep the controls running and the evidence clean so your annual review is never a scramble. Minimum 40 users, 12-month commitment.

Learn about The Compliance Engine™

FAQ

Common questions.

Yes, potentially. Using Stripe or another payment processor reduces scope significantly, but does not eliminate it. If your application redirects to a hosted payment page and you never touch cardholder data, you may qualify for SAQ-A — the lightest self-assessment. But if you have any integration beyond a simple redirect — iframes, custom payment fields, API calls that pass card metadata — your scope increases and so do your obligations. Our assessment determines your exact scope and which SAQ type or QSA path applies.
A Self-Assessment Questionnaire (SAQ) is a self-certification you complete — appropriate for merchants and service providers with limited, well-defined scope. A Qualified Security Assessor (QSA) conducts a formal, independent audit — required for higher-risk environments and commonly requested by large enterprise clients and card brands. PCI DSS has multiple SAQ types (A, A-EP, B, C, D) depending on how you handle card data. Our assessment identifies which path applies to you and what the corresponding evidence obligations are.
For a typical B2B SaaS with a reduced scope — Stripe integration, no direct card data storage — achieving SAQ-A compliance can take 4–8 weeks. For more complex environments requiring a QSA Report on Compliance (RoC), the timeline is 90–180 days depending on gap count and environment size. The 90-Day Accelerator covers the full implementation phase; the QSA assessment follows independently once controls are in place and operating. We coordinate the handoff and prepare everything the QSA needs.

Ready to scope your cardholder data environment?

Tell us how you handle payments and what compliance obligations you are facing. We will determine your actual scope and build a clear path to compliance.

Book a Fit Call
or
Take the free Security Snapshot

2 minutes · Zero commitment · Instant security grade