PCI DSS v4.0.1
Your PCI DSS report, 6–10 weeks from now.
Most companies massively over-scope their PCI environment. We start by drawing a tight Cardholder Data Environment (CDE) boundary — usually meaning your customers' card data never touches your servers (Stripe Elements, tokenization, hosted checkout) — then we implement only the controls that actually apply. Result: a clean SAQ-A or SAQ-D-Merchant Attestation of Compliance (AOC) with a fraction of the controls.
What you get
Everything in your PCI DSS program
Built specifically for anyone storing, processing, or transmitting cardholder data.
CDE scoping workshop — we draw the smallest possible PCI boundary based on how you actually take payments
Self-Assessment Questionnaire (SAQ-A, SAQ-A-EP, or SAQ-D) selection and completion
All 12 PCI DSS v4.0.1 requirements implemented and evidenced
Quarterly ASV (Approved Scanning Vendor) external scans + remediation
Annual penetration test (segmentation + application) — we coordinate with a QSA-friendly pentester
Cardholder data discovery scans across your codebase, storage, and logs (find PANs you forgot about)
Secure SDLC + change management evidence for PCI-touched code
Attestation of Compliance (AOC) signed and ready for your acquirer
Pricing
Fixed price. No annual contract.
Setup gets you to the report. The retainer keeps you compliant. Cancel any time.
One-time, fixed-fee
- Full PCI DSS program build
- Auditor introductions and prep
- 6–10 weeks to AOC
Cancel any time
- Continuous control monitoring
- Quarterly access reviews + risk refresh
- Drift remediation by our team
- Annual re-audit support included
Audit fees paid directly to your auditor (not marked up). We negotiate fixed-fee quotes from our auditor network.
Stack frameworks, save money
Reuse your PCI DSS work across other frameworks
Most controls overlap. Your second framework costs a fraction of the first.
PCI DSS questions, answered
If you use Stripe Elements / Checkout properly, your CDE is reduced to SAQ-A — which is ~22 controls instead of ~250. You're still in scope (the spec says everyone touching cardholder data is in scope), but the bar is dramatically lower. We help you stay on the SAQ-A path.
SAQ-A: full hosted checkout (e.g., Stripe Checkout redirect) — easiest. SAQ-A-EP: hosted form embedded via iframe/JS (e.g., Stripe Elements) — middle ground. SAQ-D: you handle the PAN yourself — hardest, full PCI program. We'll scope you down as far as possible.
Most merchants self-assess (SAQ + AOC). You only need a Qualified Security Assessor (QSA) if you process > 6M transactions/year (Level 1) or your acquirer mandates one. We can engage a QSA when needed — we partner with a few we trust.
v4.0.1 (current) added authenticated scans, new MFA requirements, customized approach (you can propose alternative controls), and stronger SDLC requirements. We implement against v4.0.1 from day one — there's no point starting on v3.2.1.
Annually. PCI requires a fresh AOC every 12 months, plus quarterly ASV scans. The retainer covers all of it — you don't restart from scratch each year.
Ready to ship your PCI DSS?
Tell us your timeline. We'll scope the work, give you a fixed price, and start this week.