PCI DSS v4.0 Compliance That Protects Your Payment Environment — and Your Right to Process Cards
Norvex Assurance guides merchants, payment service providers, and fintech companies through PCI DSS v4.0 compliance — from Cardholder Data Environment scoping and gap analysis through SAQ preparation, ASV scanning coordination, and QSA assessment management.
PCI DSS v4.0 Compliance
End-to-end managed service
PCI DSS (Payment Card Industry Data Security Standard) is the mandatory security framework created by the PCI Security Standards Council — founded by Visa, Mastercard, American Express, Discover, and JCB — to protect cardholder data across the global payments ecosystem. It applies to any organization that stores, processes, or transmits payment card data, regardless of size or transaction volume. PCI DSS v4.0 became the sole active standard in March 2024, introducing 64 new requirements compared to v3.2.1. Non-compliance exposes your organization to card brand fines ($5,000–$100,000 per month), higher transaction fees, and — in the worst case — termination of your ability to accept payment cards entirely.
Not sure if you need PCI-DSS?
Talk to one of our experts — free, no obligation.
Most companies start with Type I to establish a baseline, then graduate to Type II within 6–12 months.
Highest Transaction Volume Tier
What it covers
The most rigorous PCI tier. Requires an annual on-site audit by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV). Applies to large merchants and any service provider that stores, processes, or transmits cardholder data on behalf of others.
Timeline
Structured assessment preparation with Norvex Assurance
Best for
High-volume merchants and payment service providers where acquiring banks and card brands mandate a formal QSA engagement and Report on Compliance.
Business impact
The Level 1 Report on Compliance (ROC) provides the highest level of assurance available under PCI DSS and satisfies the requirements of all major acquiring banks and card brands.
Mid-Volume Merchant Tier
What it covers
Annual self-assessment using the appropriate SAQ, plus quarterly ASV scans. Some acquirers require an Attestation of Compliance (AoC) from a QSA. Applies to mid-size merchants across all payment channels.
Timeline
SAQ completion with Norvex Assurance support
Best for
Mid-size merchants where the acquiring bank requires annual SAQ completion and documented evidence of a controlled card data environment.
Business impact
Completed SAQ and clean ASV scan results demonstrate compliance to your acquiring bank. Selecting the correct SAQ type is critical — Norvex Assurance determines the right form based on your actual card data environment.
E-Commerce Merchant Tier
What it covers
Annual SAQ completion and quarterly ASV scans. Specific to e-commerce merchants accepting card payments through a payment gateway or third-party processor.
Timeline
SAQ completion with Norvex Assurance support
Best for
E-commerce merchants who accept card payments via a hosted payment page, payment gateway redirect, or JavaScript-based form — each of which carries distinct SAQ implications.
Business impact
Satisfies acquirer requirements and demonstrates to enterprise customers that your payment environment meets current industry security standards.
Lowest Transaction Volume Tier
What it covers
Annual SAQ completion and quarterly ASV scans as required by your acquirer. Many Level 4 merchants qualify for the simplest SAQ types when they use compliant third-party processors.
Timeline
Streamlined SAQ completion with Norvex Assurance
Best for
Small merchants with low transaction volumes. Liability for card data breaches exists at every tier — Level 4 status does not eliminate PCI obligations.
Business impact
Even the lightest-scope SAQ creates a documented compliance position that protects against card brand fines and demonstrates payment security to customers and partners.
Not sure which type you need?
We define your Cardholder Data Environment (CDE) — every system, component, and individual that stores, processes, or transmits cardholder data. Precise scoping is the highest-value step in any PCI engagement: an over-scoped CDE multiplies your control obligations and ongoing cost.
We evaluate tokenisation, Point-to-Point Encryption (P2PE), and network segmentation opportunities to remove systems from PCI scope. Organizations that invest in scope reduction before addressing controls significantly simplify their ongoing obligations.
We evaluate your environment against all applicable PCI DSS v4.0 requirements and produce a risk-ranked findings report with clear priorities and effort estimates for each identified control gap.
We implement required technical and administrative controls — firewall and network segmentation configurations, encryption of cardholder data at rest and in transit, access controls, logging and monitoring, vulnerability management, and security awareness training for personnel with CDE access.
We prepare your Self-Assessment Questionnaire (SAQ) or support your QSA in preparing the Report on Compliance (ROC). Every response is accurate, supported by complete evidence, and phrased precisely — no ambiguity that invites additional scrutiny from your acquirer or assessor.
We coordinate your quarterly external vulnerability scans with an Approved Scanning Vendor (ASV), manage the finding review process, oversee technical resolution of identified issues, and facilitate rescans to achieve and document clean results.
For Level 1 engagements requiring a QSA on-site, we prepare your environment, brief your team on what to expect, compile the complete evidence package, and act as the primary liaison throughout the assessment — minimizing disruption and ensuring your team is never caught unprepared.
PCI non-compliance can result in loss of payment processing ability — the existential risk for any business that accepts cards.
PCI controls significantly reduce the probability of a payment card data breach — which averages $4.5M per incident and frequently ends businesses that experience them.
Strategic tokenisation, P2PE, and segmentation can dramatically reduce your PCI scope — translating directly to lower compliance cost and simpler ongoing management.
PCI DSS v4.0 introduces 64 new requirements. Norvex Assurance implements directly to v4.0 — no legacy gaps, no transition overhead.
Choosing the wrong SAQ understates your compliance obligations and creates liability. We determine the correct SAQ type for your exact card data environment.
PCI compliance signals to customers, acquirers, and business partners that your payment environment is secure and professionally managed.
Our fixed-scope engagement covers every deliverable needed to achieve and maintain your PCI-DSS certification — no hidden extras.
"We were categorized as a Level 1 service provider and facing a QSA assessment with significant gaps. Norvex Assurance restructured our entire cardholder data environment, implemented segmentation that dramatically reduced our scope, and managed the QSA audit from start to finish. Clean ROC on the first attempt."
Head of Security
B2B Payments Platform — Series C
"We'd been completing the wrong SAQ type for two years without realizing it. Norvex Assurance re-scoped our CDE, identified that tokenisation made us SAQ A eligible, and cut our compliance scope by 80%. What had been a 200-question assessment became a 22-question one."
CTO
E-Commerce SaaS — Series A
"PCI DSS v4.0 introduced requirements we had no idea how to address. Norvex Assurance mapped every new requirement to our environment, built the controls, and got us compliant to v4.0 from day one — no legacy v3.2.1 gaps to carry forward."
VP of Compliance
FinTech Startup