PCI DSS v4.0 · Payment Card Security
PCI DSS Compliance & Audit Readiness
Secure Cardholder Data and Maintain Card Acceptance
PCI DSS (Payment Card Industry Data Security Standard) v4.0 mandates security requirements for any organisation that stores, processes, or transmits cardholder data. Non-compliance can result in fines of $5,000–$100,000 per month, forced card scheme withdrawal, and breach liability. SIRI Law LLP’s PCI DSS practice combines certified security engineers with legal advisory for complete compliance management.
What It Is & Why It Matters
PCI DSS Compliance & Audit Readiness: The Essentials
PCI DSS v4.0 (effective March 2024) is the current version — introducing significant enhancements including targeted risk analyses for customised controls, enhanced authentication requirements, and expanded requirements for e-commerce security. The standard comprises 12 requirements across six goals — covering network security, data protection, vulnerability management, access control, monitoring, and information security policy.
Scope is critical in PCI DSS — the Cardholder Data Environment (CDE) and all systems connected to or that can affect the security of the CDE are in scope. Effective scoping and segmentation can dramatically reduce the compliance burden. SIRI Law LLP advises on CDE scoping and network segmentation validation through penetration testing — a PCI DSS requirement.
India’s payment industry is heavily regulated — by RBI, by card scheme rules (Visa, Mastercard, RuPay), and by PCI DSS. Payment aggregators, payment gateways, banks, e-commerce merchants, and their technology suppliers all have PCI DSS obligations. We provide advisory across all merchant and service provider levels.
PCI DSS v4.0 applies to any organisation that stores, processes, or transmits cardholder data — there is no minimum transaction threshold for the technical requirements. The compliance validation method (QSA assessment, SAQ, or AOC) depends on your merchant or service provider level and card scheme requirements.
The consequences of non-compliance or breach are severe: card scheme fines (passed through by acquiring banks), forensic investigation costs, notification obligations, and potential loss of card acceptance — the lifeline of any payment-dependent business.
PCI DSS v4.0 introduced customised controls — allowing organisations to demonstrate equivalent security using alternative approaches where the prescribed requirement is technically infeasible or doesn’t apply. We advise on appropriate use of customised controls to reduce compliance burden without compromising security.
Scope of Services
What Our Engagement Covers
- PCI DSS v4.0 gap assessment — all 12 requirements
- Cardholder Data Environment (CDE) scoping workshop
- Data flow mapping — cardholder data identification
- Network segmentation design and validation
- Penetration testing — PCI DSS Requirement 11.4 (annual + segmentation)
- Vulnerability scanning programme — ASV-aligned quarterly external scans
- Internal vulnerability scanning programme design
- WAF, IDS/IPS, and file integrity monitoring advisory
- Access control and authentication hardening (Req. 7, 8)
- Logging and monitoring programme — Req. 10
- Incident response plan — PCI DSS breach notification requirements
- SAQ selection and completion advisory (SAQ A, A-EP, B, C, D, P2PE)
- QSA liaison and ROC (Report on Compliance) preparation
- Tokenisation and encryption advisory — reduce scope
- Third-party/vendor PCI DSS compliance programme
- RBI payment security regulation integration
Our Engagement Process
How We Work — Step by Step
Initial Scoping & Assessment
We conduct a gap assessment against the applicable framework, define the engagement scope, and produce a prioritised remediation roadmap with timeline and effort estimates.
Programme Design
We design the compliance programme — control framework, documentation structure, evidence requirements, and governance processes — tailored to your organisation.
Implementation Advisory
We advise on implementing each required control — working alongside your technical and operational teams to build controls that are practical and auditable.
Internal Audit & Validation
We conduct an internal audit or readiness assessment — identifying any remaining gaps before the formal certification or attestation process begins.
Certification / Attestation Support
We support the formal audit or assessment — managing auditor queries, providing evidence, and resolving findings on the day.
Post-Certification Advisory
After certification, we provide ongoing support — surveillance audit preparation, change management, and regulatory update advisory.
Typical engagement timeline varies by organisation size and existing control maturity.
Certified Engineers
Our Team Holds
CCSPCISMCIPPECEHOSCPCISSPCPENTISO 27001 LAIntegration Advantage
Our compliance engagements are backed by qualified legal counsel — ensuring your programme satisfies both technical certification requirements and legal obligations under DPDPA, IT Act, and sector-specific regulation.
Benefits & Deliverables
What You Get from This Engagement
Scoping Workshop
Define your CDE accurately — including all systems that store, process, or transmit cardholder data and all systems connected to them. Correct scoping is the most impactful compliance cost reduction available.
Gap Assessment
Comprehensive gap assessment against all 12 PCI DSS v4.0 requirements — with a prioritised remediation plan and compliance timeline.
Segmentation Validation
Network segmentation penetration testing — validating that your scope-reduction segmentation actually works and that out-of-scope systems cannot reach the CDE.
Penetration Testing
Annual PCI DSS-compliant penetration testing of CDE — both external and internal, with a report format that satisfies QSA requirements.
SAQ/ROC Preparation
For merchants: SAQ selection and completion advisory. For service providers requiring ROC: complete evidence preparation and QSA liaison during the on-site assessment.
Ongoing Compliance
Quarterly scanning, annual testing, and ongoing advisory — keeping your compliance current throughout the year, not just at audit time.
PCI DSS Gap Assessment Report
Control-by-control gap analysis with remediation recommendations, effort estimates, and compliance timeline.
CDE Scoping Document
Formal documentation of CDE boundary, connected systems, data flows, and segmentation architecture.
Penetration Test Report
PCI DSS-compliant penetration test report satisfying Requirement 11.4 and segmentation validation requirements.
ASV Scan Reports
Quarterly passing ASV scan reports as required by PCI DSS Requirement 11.3.
SAQ or ROC Preparation Package
Complete evidence package for SAQ submission or QSA ROC assessment.
Compensating Controls Documentation
Where customised controls are used, formally documented justification and equivalent security demonstration.
Frequently Asked Questions
We accept card payments through a third-party payment gateway. Are we still in scope for PCI DSS?
Yes — if your checkout page redirects to a third-party payment page and you never see cardholder data, you may qualify for SAQ A (the simplest compliance pathway). However, if your website is compromised and the redirect is modified to capture card data before it reaches the payment page, you bear responsibility. PCI DSS v4.0 Requirement 6.4.3 now explicitly requires controls over payment page scripts for e-commerce merchants. We advise on your specific compliance pathway.
What is the difference between a QSA assessment and an SAQ?
A QSA (Qualified Security Assessor) assessment is conducted by an independent PCI SSC-approved firm and produces a Report on Compliance (ROC) — required for Level 1 merchants and most service providers. An SAQ (Self-Assessment Questionnaire) is a self-certification completed by the merchant or service provider — available for lower-risk compliance scenarios. The appropriate validation method depends on your merchant/service provider level and card scheme requirements. We advise on the correct path for your situation.
How does PCI DSS interact with RBI’s payment security regulations?
RBI regulations and card scheme PCI DSS requirements overlap significantly — but are not identical. RBI’s Master Direction on Digital Payment Security Controls and PA-PG guidelines impose requirements on payment aggregators and gateways. We integrate PCI DSS compliance with RBI regulatory obligations — avoiding duplicate work while ensuring full compliance with both frameworks.
Can tokenisation or point-to-point encryption (P2PE) reduce our PCI DSS scope?
Yes — tokenisation and certified P2PE solutions can significantly reduce your CDE scope by ensuring your systems never handle actual PANs (Primary Account Numbers). We advise on the scope reduction available from these technologies and the PCI DSS requirements applicable to the reduced scope. This is one of the most cost-effective ways to simplify ongoing PCI DSS compliance.
Ready to Start Your PCI Journey?
All engagements begin with a complimentary scoping call. Let us understand your environment and propose the right approach.
Also see: Cybersecurity GRC · SOC 2 Compliance