Skip to main content
Services · PCI DSS Compliance

PCI DSS v4.0, Scope, Segment, SAQ & Assessor Liaison

Scope. Segment. Audit. Pass.

Taking card payments? PCI DSS applies, to you and every vendor in the chain. We scope your cardholder data environment, segment what we can, document the rest, and get you to a defensible Self-Assessment Questionnaire or Report on Compliance. For businesses anywhere in the world.

What you get

Defensible compliance, scoped to its minimum.

Cardholder data scoping

Map every place cardholder data (CHD) and sensitive authentication data (SAD) lives in your business, applications, databases, logs, backups, third parties. Output: a defensible CDE (Cardholder Data Environment) definition.

Scope reduction architecture

Most PCI burden comes from over-broad scope. We design network segmentation, tokenisation and outsourcing patterns that legitimately shrink your CDE, and the audit cost with it.

SAQ documentation

For SAQ-A, SAQ-A-EP, SAQ-D Merchant, SAQ-D Service Provider, we document each control with evidence, ready for your acquirer or QSA review.

Quarterly ASV scan oversight

Required ASV (Approved Scanning Vendor) external scans for systems in scope. We coordinate, triage findings, and ensure clean reports.

Policies & procedures

The 12-domain PCI DSS v4.0 policy set, information security, access control, vulnerability management, monitoring, incident response, written to your environment, not pasted from templates.

Assessor / acquirer liaison

We work alongside your QSA, ISA or acquirer's compliance team, managing requests, evidence packaging, gap remediation, getting you to a clean Attestation of Compliance.

How we work

Four phases, six to twelve weeks for most businesses.

01

Scope

Two-to-three weeks. Discovery of every place CHD/SAD flows in your business. Output: a CDE map and an SAQ recommendation (most businesses qualify for a simpler SAQ than they think).

02

Segment

Design and implement the scope-reduction architecture, network segmentation, tokenisation, hosted payment page integration. Most of the engineering work happens here.

03

Audit

Operate controls. Run ASV scans. Collect evidence. Write the SAQ or work with your QSA on Report on Compliance.

04

Pass

Submit AOC to your acquirer or payment processor. Annual re-attestation built into a retainer.

Common questions

PCI DSS, plainly answered.

Does PCI DSS apply to my business?

+

PCI DSS applies to any organisation that stores, processes or transmits cardholder data, and to any business that could impact the security of cardholder data, even if it never sees a card number. That means: every e-commerce store taking card payments, every SaaS that handles payment data, every marketplace, every donation platform. Even businesses using fully-outsourced payment processors (Stripe, Razorpay, PayPal) typically need at least SAQ-A compliance. The applicable Self-Assessment Questionnaire depends on your payment integration model.

Which SAQ do I need?

+

It depends on your payment integration: SAQ-A (fully outsourced, hosted payment page with no card data touching your servers, e.g., Stripe Checkout, Razorpay redirect), SAQ-A-EP (your site iframes or scripts in a payment provider, but you don't store card data), SAQ-D Merchant (you store, process or transmit card data on your own systems), or SAQ-D Service Provider (you handle card data for other merchants). Most modern e-commerce and SaaS qualify for SAQ-A, and the architecture changes to get there usually pay for themselves in a single audit cycle.

How much does PCI DSS compliance cost?

+

RoseLeap's PCI DSS readiness for a typical SAQ-A or SAQ-A-EP business runs $2,500–$10,000 USD (₹2 lakh–₹8 lakh), including scope reduction architecture, documentation and SAQ completion. SAQ-D businesses run higher, $8,000–$30,000 USD (₹6 lakh–₹25 lakh), because of broader scope. Annual ASV scans cost $200–$1,000 USD/year. QSA audit (Report on Compliance, required for Level 1 merchants) ranges $20,000–$100,000 USD depending on environment complexity. We work in USD, GBP, EUR and INR.

What is PCI DSS v4.0?

+

PCI DSS v4.0 is the current version of the standard, fully enforced from 31 March 2025. It tightens authentication requirements (MFA for all admin access to CDE), expands targeted risk analyses, requires continuous monitoring of certain controls, and adds customised approach options for mature security programs. If you certified under v3.2.1 before March 2025, your next assessment must use v4.0.

What happens if I am not PCI compliant?

+

Non-compliance penalties from card brands (Visa, Mastercard, Amex) range from $5,000 to $100,000 USD per month, escalating with severity. After a breach, you can be fined up to $500,000 USD per incident, lose your ability to accept cards, and be put on the MATCH list (which makes future card processing difficult). Beyond the brands, your acquirer can terminate your account immediately. Most businesses learn about PCI compliance the hard way, typically after their first incident.

Can I be PCI compliant if I use Stripe / Razorpay / PayPal?

+

Yes, and in fact, using a hosted payment provider is the simplest route to PCI compliance. With SAQ-A (fully outsourced hosted payment page), you avoid handling card data entirely. The payment provider takes most of the PCI burden; you still need a basic SAQ-A attestation and adherence to a small set of operational controls (vendor management, security policies, training). We typically design e-commerce and SaaS payment flows for SAQ-A whenever possible.

How long does PCI DSS readiness take?

+

For a business already on Stripe / Razorpay hosted checkout aiming for SAQ-A: 4–6 weeks of readiness work plus the time to operate controls and complete attestation. For SAQ-D businesses with on-prem card data handling: 3–6 months of remediation plus continuous control operation. We typically recommend scope reduction (moving to SAQ-A or SAQ-A-EP) as the first move, it cuts ongoing compliance cost by 70%+.

Take payments, defensibly.

Tell us your payment integration and merchant level. We come back with a fixed-fee scope and a date you can be PCI DSS-compliant by.