Services PCI DSS Compliance & Certification
+44 20 3996 1505

PCI DSS Compliance & Certification

PCI DSS is the global standard for protecting cardholder data. Every organisation that stores, processes, or transmits payment card information must comply, from corner-shop merchants to global payment service providers. Non-compliance is not optional: fines, increased transaction costs, and acquiring bank action follow quickly after a missed assessment.

RedSecLabs delivers PCI DSS v4.0 services across the full programme lifecycle: scope definition, gap analysis, remediation support, Report on Compliance (ROC) validation, Self-Assessment Questionnaire (SAQ) review, and ongoing compliance management.

Our consultants include QSAs and PCI specialists with deep experience across merchant, service provider, payment gateway, and processor environments, from level-4 SAQ-A merchants to level-1 service providers.

CREST Certified Pen Test Provider ISO Certified OSCP Certified Industry Certification

Free Security Quote

Just a few questions to scope your project. We respond the same business day.

UK-based CREST member · QSA-aligned methodology · Same-day scoping response · Executive + technical reports · Retest included
Who this is for

This service is a fit if you’re..

1
Merchants storing card data
E-commerce platforms, retailers, and merchants processing payments who need to demonstrate PCI DSS compliance.
2
Service providers
SaaS or infrastructure providers whose customers ask for PCI DSS attestation as part of procurement.
3
Pre-QSA preparation
Organisations preparing for a formal PCI DSS assessment who need gap analysis and readiness support first.

PCI DSS Compliance, Quick Facts

Last reviewed: 2026-05-21
Current standard
PCI DSS v4.0.1 (mandatory for all assessments from 31 March 2025)
Compliance paths
SAQ (Self-Assessment Questionnaire) or ROC (Report on Compliance) depending on merchant level
Merchant levels
Level 1: 6M+ transactions/year (ROC required). Levels 2-4: typically SAQ
Validation cadence
Annual for ROC; annual SAQ self-attestation for lower levels
Required testing
Quarterly ASV scans (Req 11.3.2), annual penetration testing (Req 11.4)
Coverage
UK, USA, Saudi Arabia, UAE, QSA-aligned methodology across jurisdictions
v4.0
Current standard
QSA
Qualified Security Assessors
Levels 1-4
All merchant and SP tiers
Lifecycle
Gap-to-annual-renewal

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is the global security standard maintained by the PCI Security Standards Council. It applies to every organisation that stores, processes, or transmits cardholder data, whether merchant, service provider, payment gateway, or processor.

PCI DSS v4.0 is the current major version, published in 2022. It introduces a customised approach to control implementation, new requirements around authenticated scanning and targeted risk analyses, and tighter expectations on scoping accuracy. v3.2.1 retired on 31 March 2024, after which all assessments must use v4.0.

What PCI DSS compliance delivers:

Eligibility to accept card payments under acquiring bank agreements

Reduced exposure to fines following any card data breach

Lower transaction fees with major card schemes

Cyber insurance coverage eligibility

Customer and partner trust around payment data handling

Evidence reusable for SOC 2, ISO 27001, and broader compliance programmes

Compliance is annual, and the bar continues to rise. v4.0 makes scoping accuracy and continuous control operation far more material than under previous versions.

Why PCI DSS matters

Card data breaches remain among the most damaging and costly cyber incidents an organisation can experience. Beyond direct fraud costs, breached merchants face card scheme fines, mandatory forensic investigation by PFI-approved investigators, increased transaction processing fees, and lasting customer trust damage.

PCI DSS is not optional, it is a contractual requirement under every major acquiring bank agreement. Non-compliance can result in fines starting from £5,000 per month, escalating significantly after a breach, and ultimately to suspension of card-acceptance privileges.

Common consequences of weak PCI DSS programmes:

Card scheme fines from £5,000 to £100,000+ per month

Mandatory PFI investigation after any suspected breach

Increased transaction processing fees

Acquiring bank termination of merchant agreements

Direct breach costs averaging £3.4M in the UK in 2025

Brand and customer trust damage following public incidents

Strong PCI DSS programmes reduce breach probability, limit financial exposure when incidents occur, and become a strategic asset rather than an annual overhead.

Who needs PCI DSS compliance?

PCI DSS applies to every organisation that interacts with cardholder data. RedSecLabs delivers across all merchant and service provider tiers:

E-commerce merchants (all levels)

Retail and in-person POS merchants

Payment service providers and gateways

Card processors and acquirers

Cloud hosting providers handling cardholder data

Contact centres processing phone payments

Software providers in PCI scope (payment apps)

Logistics and fulfilment where card data flows

If your organisation touches cardholder data, even briefly, even via redirect. PCI DSS applies. We scope your assessment level and SAQ type as the first step of every engagement.

Our PCI DSS Methodology

An eight-stage methodology covering the full PCI DSS compliance lifecycle, from initial scoping through annual renewal.

01

Scope Definition

We map cardholder data environments (CDE) and confirm which systems are in scope, in connected scope, or out of scope through network segmentation.

02

Merchant Level Determination

We confirm your merchant or service provider level and identify the correct assessment route. SAQ type or full Report on Compliance (ROC).

03

Gap Analysis

Comprehensive review against all 12 PCI DSS requirements with control-by-control evidence sampling and remediation prioritisation.

04

Remediation Support

Hands-on guidance on common weak areas: network segmentation, encryption key management, authenticated scanning, audit logging, secure development.

05

Quarterly ASV Scanning

External vulnerability scanning by approved scanning vendor (ASV) on a quarterly basis, with remediation support between scans.

06

Annual Penetration Testing

Network and application penetration testing meeting PCI DSS requirements 11.4.1-11.4.5, including segmentation validation.

07

Compliance Validation

QSA-led ROC or SAQ validation depending on your assessment route, producing the documentation acquirers require.

08

Annual Renewal & Continuous Compliance

Year-round programme management to keep controls operational, not just compliant at audit point.

Most clients reach first-time compliance in 3-9 months depending on starting maturity and CDE complexity, with annual renewal cycles thereafter.

What you receive

Every PCI DSS engagement with RedSecLabs includes:

  • Scope analysis and cardholder data environment documentation
  • Merchant level determination and assessment route confirmation
  • Gap analysis report against all 12 PCI DSS v4.0 requirements
  • Prioritised remediation roadmap with effort estimates
  • Quarterly ASV scan reports and remediation guidance
  • Annual penetration test report meeting requirements 11.4.1-11.4.5
  • QSA-validated ROC or signed SAQ with attestation of compliance
  • Ongoing compliance management and acquirer reporting support

Industries We Serve

We deliver this service across these industries:

E-commerce
Retail & POS
Payment Providers
Acquirers & Processors
Cloud Hosting
Contact Centres
Travel & Hospitality
Petroleum & Fuel

Why RedSecLabs for PCI DSS

PCI DSS rewards depth, not theatre. Our QSAs and PCI specialists have seen every common scoping mistake, every popular workaround that fails audit, and every remediation pattern that actually works. We deliver assessments that withstand acquirer scrutiny, and a continuous compliance programme that keeps your CDE controls operational year-round.

QSA-led assessments across all merchant levels
Scoping and segmentation expertise (v4.0)
ASV-grade quarterly vulnerability scanning
PCI DSS penetration testing to 11.4 standards
Annual renewal and continuous compliance support
Acquirer reporting and dispute support

Get PCI DSS v4.0 Compliant

Book a free 30-minute scoping call. Merchant level confirmation, SAQ recommendation, and fixed-fee quote within a week.

Book a Scoping Call Contact Us

Where to next

Related services and industry packages worth exploring.

PCI DSS UK

PCI DSS USA

PCI DSS Saudi Arabia

PCI DSS UAE

E-commerce & Retail package
Related reading

From the RedSecLabs research blog

From the blog

PCI DSS SAQ vs ROC: Choosing Your Compliance Path

Self-assessment questionnaire or formal Report on Compliance, which applies to your merchant level.

Read on the RedSecLabs blog
From the blog

PCI DSS 4.0.1: What Every Business Must Do

The 64 new requirements, what changes from 4.0, and the future-dated deadlines.

Read on the RedSecLabs blog
From the blog

PCI DSS Compliance Costs: 2026 Breakdown

What PCI DSS compliance actually costs across merchant level and environment complexity.

Read on the RedSecLabs blog

Frequently Asked Questions

Levels are set by your annual card transaction volume across all card schemes. Level 1 (over 6M transactions/year) requires QSA-led ROC; Level 2 (1-6M) requires QSA or internal security assessor ROC or SAQ-D; Levels 3 and 4 typically use SAQs. We confirm your level and the right SAQ type at the start of every engagement.

v4.0 (mandatory since 31 March 2024) introduces the customised approach to control implementation, requires authenticated vulnerability scanning, mandates targeted risk analyses for several controls, and tightens scoping accuracy requirements. Several controls have a transitional grace period to 31 March 2025, we help you plan against that timeline.

Yes, every organisation with externally-accessible systems in PCI scope must run quarterly ASV scans by an approved scanning vendor. We provide ASV-aligned scanning as part of our compliance programme, with rescans included after remediation.

PCI DSS Requirements 11.4.1-11.4.5 mandate annual network and application penetration testing, plus segmentation validation testing. Our PCI penetration tests meet all five sub-requirements and produce the formal report acquirers require.

For SAQ-eligible merchants, total consultancy typically £8,000-£35,000 annually. For ROC assessments (Level 1 merchants and service providers), £35,000-£150,000+ depending on CDE complexity, sites, and starting maturity. We provide fixed-fee quotes after scoping.

Major card schemes typically mandate engagement of a PCI Forensic Investigator (PFI) within hours of suspected breach. Card scheme fines apply, your acquiring bank may impose increased scrutiny or terminate your agreement, and remediation costs are largely uninsured under standard policies. Strong PCI programmes materially reduce both probability and severity.
What you receive

Every engagement includes

  • Scoping call. A 30-minute call to define scope, timeline, and authorisation boundaries.
  • Test plan. Written test plan covering targets, methodology, and rules of engagement.
  • Technical report. Detailed findings with reproduction steps, evidence, and remediation guidance.
  • Executive summary. Board-ready 1-2 page summary with risk ratings and business impact.
  • Audit-ready evidence. Findings letter formatted for auditors, customers, and supervisory authorities.
  • Retest letter. Free retest of remediated findings within an agreed window. Confirmation letter included.
  • Remediation call. A call with our lead tester to walk through findings and remediation strategy.
How we deliver

Our process, end to end

  1. 1
    Scoping call & fixed-scope quote
    A 30-minute call. We define scope, targets, timeline. You get a fixed-scope quote within one working day. No surprise invoices.
  2. 2
    Test plan & authorisation
    Written test plan covering methodology, targets, and rules of engagement. Authorisation letter signed before any testing begins.
  3. 3
    CREST-aligned execution
    Senior tester runs the engagement. Critical findings flagged immediately during testing. Daily updates if you want them.
  4. 4
    Technical + executive report
    Detailed technical findings with reproduction steps. Board-ready executive summary. Delivered within agreed working days.
  5. 5
    Remediation call & retest
    Walkthrough with our lead tester. Retest of remediated findings within the agreed window. Confirmation letter for your auditors.
Engagement scope

What shapes the quote

Small scope
Single app, focused scope, smaller surface. 5-7 working days.
Medium scope
Multi-role platform, several user types, integrations. 8-12 working days.
Enterprise scope
Complex environment, multiple targets, compliance evidence. 12-25 working days.
Fixed-scope quote within 1 working day
No surprise invoices, no scope-creep. We commit to a number before you commit to us.
Sample report
See exactly what we deliver
Download a redacted RedSecLabs penetration test report. Same format, same depth, same clarity as the report your team will receive.
Download sample report
Why RedSecLabs

Grounded reasons clients choose us

UK-based team
Testers based in the UK. Data stays within UK/EU jurisdiction for sensitive engagements.
CREST member company
CREST-aligned methodology. Senior testers hold CREST CRT or CCT certifications.
Manual testing, not scanner-only
Automated scanners catch the obvious. Our human testers find the issues that matter.
Clear executive reporting
Reports your board can read and your developers can act on. No jargon padding.
Compliance-aware delivery
PCI, SOC 2, ISO 27001, DORA, GDPR. We map findings to your compliance framework.
Retest support included
Free retest of remediated findings within agreed window. Confirmation letter for auditors.
Related services

Often paired with this engagement

PCI DSS QSA (UK)
Formal QSA assessment in the UK.
PCI DSS QSA (US)
Formal QSA assessment in the US.
PCI ASV Scanning
External quarterly scans (via ASV partner).
Network Pentesting
Required under Requirement 11.
Web App Pentesting
For payment applications.
📞 Call us Book a call