Home/Services/PCI-DSS
Payment Security

PCI-DSS

PCI DSS v4.0 Compliance That Protects Your Payment Environment — and Your Right to Process Cards

Norvex Assurance guides merchants, payment service providers, and fintech companies through PCI DSS v4.0 compliance — from Cardholder Data Environment scoping and gap analysis through SAQ preparation, ASV scanning coordination, and QSA assessment management.

PCI-DSS compliance illustration

What Is PCI DSS — and Why Does It Apply to You?

PCI DSS (Payment Card Industry Data Security Standard) is the mandatory security framework created by the PCI Security Standards Council — founded by Visa, Mastercard, American Express, Discover, and JCB — to protect cardholder data across the global payments ecosystem. It applies to any organization that stores, processes, or transmits payment card data, regardless of size or transaction volume. PCI DSS v4.0 became the sole active standard in March 2024, introducing 64 new requirements compared to v3.2.1. Non-compliance exposes your organization to card brand fines ($5,000–$100,000 per month), higher transaction fees, and — in the worst case — termination of your ability to accept payment cards entirely.

Key Highlights

  • Mandatory for all merchants, PSPs, and service providers handling card data
  • 12 requirement domains covering network security, access control, encryption, and monitoring
  • 4 merchant compliance levels determined by annual transaction volume
  • PCI DSS v4.0 is the sole active standard as of March 2024

Who Needs PCI-DSS?

E-Commerce & Retail Merchants
Payment Service Providers & Acquirers
FinTech & Neobanks
SaaS Platforms with Embedded Payments

Not sure if you need PCI-DSS?

Talk to one of our experts — free, no obligation.

PCI DSS Compliance Levels — A Clear Comparison

Your compliance level is determined by your annual card transaction volume and your acquiring bank's requirements. Find the level that applies to your business below.

Level 1 — Highest Transaction Volume

Annual on-site QSA audit + quarterly ASV scans

What it evaluates

The most rigorous PCI tier — requires a full on-site audit by a Qualified Security Assessor and quarterly scans by an Approved Scanning Vendor. Applies to large merchants and service providers storing, processing, or transmitting cardholder data on behalf of others.

Ideal for

High-volume merchants and PSPs where acquiring banks and card brands mandate a formal QSA engagement and Report on Compliance.

Assurance value

The Level 1 Report on Compliance (ROC) provides the highest assurance available under PCI DSS — satisfying all major acquiring banks and card brands.

Gold Standard

Level 2 — Mid-Volume Merchant

Annual SAQ + quarterly ASV scans

What it evaluates

Annual self-assessment using the appropriate SAQ, plus quarterly ASV scans. Some acquirers require an Attestation of Compliance from a QSA.

Ideal for

Mid-size merchants where the acquiring bank requires annual SAQ completion and documented evidence of a controlled card data environment.

Assurance value

Completed SAQ and clean scan results demonstrate compliance to your acquiring bank. Selecting the correct SAQ type is critical — we determine the right form based on your actual environment.

Level 3 — E-Commerce Merchant

Annual SAQ + quarterly ASV scans

What it evaluates

Specific to e-commerce merchants accepting card payments through a gateway or third-party processor — each integration type carries distinct SAQ implications.

Ideal for

E-commerce merchants accepting cards via hosted payment page, gateway redirect, or JavaScript-based form.

Assurance value

Satisfies acquirer requirements and demonstrates to enterprise customers that your payment environment meets current industry standards.

Level 4 — Lowest Transaction Volume

Annual SAQ as required by acquirer

What it evaluates

Many Level 4 merchants qualify for the simplest SAQ types when using compliant third-party processors. PCI obligations exist at every tier regardless of volume.

Ideal for

Small merchants with low transaction volumes. Level 4 status does not eliminate liability for card data breaches.

Assurance value

A documented compliance position that protects against card brand fines and demonstrates payment security to customers and partners.

Not sure which level applies to you?

Our PCI-DSS Process

01

CDE Scoping & Data Flow Mapping

We define your Cardholder Data Environment — every system and component that stores, processes, or transmits cardholder data. Precise scoping is the highest-value step in any PCI engagement.

02

Scope Reduction Strategy

We evaluate tokenisation, Point-to-Point Encryption, and network segmentation opportunities to remove systems from PCI scope before addressing controls.

03

Gap Assessment

We assess your environment against all PCI DSS v4.0 requirements and produce a risk-ranked findings report with clear priorities for each control gap.

04

Control Implementation

We implement required technical and administrative controls — network segmentation, encryption, access management, logging, vulnerability management, and security awareness training.

05

SAQ or ROC Preparation

We prepare your Self-Assessment Questionnaire or support your QSA in preparing the Report on Compliance — every response accurate, evidenced, and precisely phrased.

06

ASV Scanning Coordination

We coordinate quarterly external vulnerability scans, manage finding remediation, and facilitate rescans to achieve and document clean results.

07

QSA Assessment Management

For Level 1 engagements, we prepare your environment, compile the evidence package, and act as primary liaison throughout the on-site assessment.

Business Impact

Why Organisations Choose Norvex for PCI-DSS ?

Maintain Card Processing Rights

PCI non-compliance can result in loss of payment processing ability — the existential risk for any card-accepting business.

Reduced Breach Risk

PCI controls reduce the probability of a payment card data breach — an incident that averages $4.5M and frequently ends businesses that experience one.

Scope Reduction

Strategic tokenisation, P2PE, and segmentation can significantly reduce your PCI scope — lowering control obligations and simplifying ongoing management.

v4.0 Alignment from Day One

PCI DSS v4.0 introduced 64 new requirements. We implement directly to v4.0 — no legacy gaps, no transition overhead.

Correct SAQ Selection

Choosing the wrong SAQ understates your obligations and creates liability. We determine the correct type for your exact card data environment.

Customer & Partner Trust

PCI compliance signals to acquirers, customers, and business partners that your payment environment is secure and professionally managed.

What's Included in Your PCI-DSS Engagement

Everything required to achieve and maintain PCI DSS v4.0 compliance — no hidden extras.

01
01 — Cardholder Data Environment scoping and data flow diagrams
02
02 — Scope reduction strategy and implementation (tokenisation, P2PE, segmentation)
03
03 — PCI DSS v4.0 gap analysis with risk-ranked remediation roadmap
04
04 — Complete PCI-compliant policy and procedure documentation
05
05 — Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)
06
06 — ASV scan coordination, finding remediation, and clean scan documentation
07
07 — QSA assessment preparation, support, and Attestation of Compliance (AoC)

What Our Clients Say

"We were categorized as a Level 1 service provider and facing a QSA assessment with significant gaps. Norvex Assurance restructured our entire cardholder data environment, implemented segmentation that dramatically reduced our scope, and managed the QSA audit from start to finish. Clean ROC on the first attempt."

Head of Security

B2B Payments Platform — Series C

"We'd been completing the wrong SAQ type for two years without realizing it. Norvex Assurance re-scoped our CDE, identified that tokenisation made us SAQ A eligible, and cut our compliance scope by 80%. What had been a 200-question assessment became a 22-question one."

CTO

E-Commerce SaaS — Series A

"PCI DSS v4.0 introduced requirements we had no idea how to address. Norvex Assurance mapped every new requirement to our environment, built the controls, and got us compliant to v4.0 from day one — no legacy v3.2.1 gaps to carry forward."

VP of Compliance

FinTech Startup

Common Questions About PCI-DSS

Ready to Start Your PCI-DSS Journey?

Get a Free Consultation

Response within 24 hours
Fixed-fee pricing
No obligation
Explore More

Other Services You May Need