PCI DSS v4.0 Compliance That Protects Your Payment Environment — and Your Right to Process Cards
Norvex Assurance guides merchants, payment service providers, and fintech companies through PCI DSS v4.0 compliance — from Cardholder Data Environment scoping and gap analysis through SAQ preparation, ASV scanning coordination, and QSA assessment management.

PCI DSS (Payment Card Industry Data Security Standard) is the mandatory security framework created by the PCI Security Standards Council — founded by Visa, Mastercard, American Express, Discover, and JCB — to protect cardholder data across the global payments ecosystem. It applies to any organization that stores, processes, or transmits payment card data, regardless of size or transaction volume. PCI DSS v4.0 became the sole active standard in March 2024, introducing 64 new requirements compared to v3.2.1. Non-compliance exposes your organization to card brand fines ($5,000–$100,000 per month), higher transaction fees, and — in the worst case — termination of your ability to accept payment cards entirely.
Not sure if you need PCI-DSS?
Talk to one of our experts — free, no obligation.
Your compliance level is determined by your annual card transaction volume and your acquiring bank's requirements. Find the level that applies to your business below.
Annual on-site QSA audit + quarterly ASV scans
What it evaluates
The most rigorous PCI tier — requires a full on-site audit by a Qualified Security Assessor and quarterly scans by an Approved Scanning Vendor. Applies to large merchants and service providers storing, processing, or transmitting cardholder data on behalf of others.
Ideal for
High-volume merchants and PSPs where acquiring banks and card brands mandate a formal QSA engagement and Report on Compliance.
Assurance value
The Level 1 Report on Compliance (ROC) provides the highest assurance available under PCI DSS — satisfying all major acquiring banks and card brands.
Annual SAQ + quarterly ASV scans
What it evaluates
Annual self-assessment using the appropriate SAQ, plus quarterly ASV scans. Some acquirers require an Attestation of Compliance from a QSA.
Ideal for
Mid-size merchants where the acquiring bank requires annual SAQ completion and documented evidence of a controlled card data environment.
Assurance value
Completed SAQ and clean scan results demonstrate compliance to your acquiring bank. Selecting the correct SAQ type is critical — we determine the right form based on your actual environment.
Annual SAQ + quarterly ASV scans
What it evaluates
Specific to e-commerce merchants accepting card payments through a gateway or third-party processor — each integration type carries distinct SAQ implications.
Ideal for
E-commerce merchants accepting cards via hosted payment page, gateway redirect, or JavaScript-based form.
Assurance value
Satisfies acquirer requirements and demonstrates to enterprise customers that your payment environment meets current industry standards.
Annual SAQ as required by acquirer
What it evaluates
Many Level 4 merchants qualify for the simplest SAQ types when using compliant third-party processors. PCI obligations exist at every tier regardless of volume.
Ideal for
Small merchants with low transaction volumes. Level 4 status does not eliminate liability for card data breaches.
Assurance value
A documented compliance position that protects against card brand fines and demonstrates payment security to customers and partners.
Not sure which level applies to you?
We define your Cardholder Data Environment — every system and component that stores, processes, or transmits cardholder data. Precise scoping is the highest-value step in any PCI engagement.
We evaluate tokenisation, Point-to-Point Encryption, and network segmentation opportunities to remove systems from PCI scope before addressing controls.
We assess your environment against all PCI DSS v4.0 requirements and produce a risk-ranked findings report with clear priorities for each control gap.
We implement required technical and administrative controls — network segmentation, encryption, access management, logging, vulnerability management, and security awareness training.
We prepare your Self-Assessment Questionnaire or support your QSA in preparing the Report on Compliance — every response accurate, evidenced, and precisely phrased.
We coordinate quarterly external vulnerability scans, manage finding remediation, and facilitate rescans to achieve and document clean results.
For Level 1 engagements, we prepare your environment, compile the evidence package, and act as primary liaison throughout the on-site assessment.
PCI non-compliance can result in loss of payment processing ability — the existential risk for any card-accepting business.
PCI controls reduce the probability of a payment card data breach — an incident that averages $4.5M and frequently ends businesses that experience one.
Strategic tokenisation, P2PE, and segmentation can significantly reduce your PCI scope — lowering control obligations and simplifying ongoing management.
PCI DSS v4.0 introduced 64 new requirements. We implement directly to v4.0 — no legacy gaps, no transition overhead.
Choosing the wrong SAQ understates your obligations and creates liability. We determine the correct type for your exact card data environment.
PCI compliance signals to acquirers, customers, and business partners that your payment environment is secure and professionally managed.
Everything required to achieve and maintain PCI DSS v4.0 compliance — no hidden extras.
"We were categorized as a Level 1 service provider and facing a QSA assessment with significant gaps. Norvex Assurance restructured our entire cardholder data environment, implemented segmentation that dramatically reduced our scope, and managed the QSA audit from start to finish. Clean ROC on the first attempt."
Head of Security
B2B Payments Platform — Series C
"We'd been completing the wrong SAQ type for two years without realizing it. Norvex Assurance re-scoped our CDE, identified that tokenisation made us SAQ A eligible, and cut our compliance scope by 80%. What had been a 200-question assessment became a 22-question one."
CTO
E-Commerce SaaS — Series A
"PCI DSS v4.0 introduced requirements we had no idea how to address. Norvex Assurance mapped every new requirement to our environment, built the controls, and got us compliant to v4.0 from day one — no legacy v3.2.1 gaps to carry forward."
VP of Compliance
FinTech Startup