Services PCI DSS Compliance & Certification in the United States
+44 20 3996 1505

PCI DSS Compliance & Certification in the United States

PCI DSS is the global cybersecurity standard for any organisation that stores, processes or transmits cardholder data. The US is the largest card payments market in the world, with the most aggressive threat targeting of cardholder data and the most actively enforced card brand compliance programmes.

RedSecLabs delivers PCI DSS v4.0.1 compliance services to organisations in the United States and across global markets. QSA-aligned scoping, gap remediation, formal Report on Compliance (ROC) for Level 1 and qualifying service providers, Self-Assessment Questionnaire (SAQ) support for lower levels, and the segmentation and e-commerce skimming controls v4.0.1 now demands.

Our assessors combine deep PCI DSS methodology with payments-sector experience. We deliver PCI DSS for US-headquartered organisations, US subsidiaries of international groups, and global payment businesses with US merchant operations. In the US, PCI DSS interacts with state-level data breach notification laws, the New York DFS 23 NYCRR 500 cybersecurity regulation for financial services, and sectoral regulators including the FTC for unfair-deceptive practices following payment data incidents. Our methodology aligns to QSA practice and produces ROC and SAQ artefacts that US acquirers, card brands and forensic investigators recognise.

CREST Certified Pen Test Provider ISO Certified OSCP Certified Industry Certification

Free Security Quote

Just a few questions to scope your project. We respond the same business day.

UK-based CREST member · QSA-aligned methodology · Same-day scoping response · Executive + technical reports · Retest included
PCI DSS v4.0.1
Latest standard
QSA-aligned
Methodology
ROC + SAQ
Full spectrum
CREST
Member company

Why a the United States PCI DSS partner matters

PCI DSS is set globally by the PCI Security Standards Council, but how it lands operationally in the United States depends on acquirer relationships, card brand expectations, local regulator stance on cyber, and the operating reality of payment processing in the United States. A global standard delivered by a generic global vendor can miss what your acquirer and local regulator actually expect from the evidence pack.

Our delivery model is shaped by working with the United States-based payment businesses and the acquirers they report to. That includes coordinating with your acquirer and merchant bank on attestation submissions, dealing with local interpretations of v4.0.1 e-skimming requirements, and aligning PCI DSS with other regulatory regimes that apply to your operations.

What our PCI DSS engagements deliver:

Accurate scope reduction that materially lowers ongoing cost

QSA-aligned formal Report on Compliance (ROC) where required

SAQ support for Level 2-4 merchants

PCI DSS v4.0.1 new requirements covered (e-skimming, software supply chain)

Acquirer-shareable Attestation of Compliance (AOC)

Segmentation testing where scope reduction depends on it

From single-channel e-commerce merchants in the United States through to multi-country payment service providers, our delivery model scales while staying QSA-aligned throughout.

Why PCI DSS in the United States is non-negotiable

For any organisation in the United States that touches cardholder data, PCI DSS compliance is a contractual requirement, not optional. Card brand (Visa, Mastercard, Amex, JCB, Discover) compliance programmes flow through your acquirer to you, and the consequences of non-compliance escalate quickly.

The threat landscape in the United States has been hostile to payment businesses for several years. Magecart-style web-skimming attacks against e-commerce checkouts are now industrialised. Ransomware against retail and hospitality has caused multi-week trading outages. Payment fraud is automated and the data feeding it is increasingly sourced through compromised cardholder data environments.

Without strong PCI DSS posture, organisations in your market face:

Acquirer-imposed fines under card brand compliance programmes

Termination of merchant or acquirer relationship

Card brand investigation and forensic mandate after any incident

Increased interchange and processing fees

Reputational damage in the card brand monitoring programmes

Customer trust loss and contractual breach exposure with B2B clients

PCI DSS is rarely the most exciting compliance work. Done well by the right partner, it is one of the least disruptive things on your security roadmap.

Who in the United States needs PCI DSS

Anyone in the United States who stores, processes or transmits cardholder data falls under PCI DSS. In practice, that covers:

Payment Service Providers

E-commerce Merchants

Banks & Issuers

Retail & Hospitality

Restaurants & QSR

Payment Tech & ISVs

Logistics & Fulfilment

Marketplaces

Whether you are a Level 1 merchant requiring annual ROC, a Level 2-4 merchant on SAQ, or a service provider in scope of PCI DSS in your own right, our methodology adapts to your level without compromising on QSA-grade rigour.

How we deliver PCI DSS in the United States

Eight-stage delivery process, adapted to your merchant level, acquirer relationships and payment channels. Fixed-fee scope, single point of contact, evidence reuse against ISO 27001 and SOC 2 where applicable.

01

Scoping & Cardholder Data Discovery

We map every system that stores, processes, or transmits cardholder data, plus systems with logical connectivity to those, to define the scope precisely. Most engagements reduce scope materially at this stage.

02

Gap Assessment Against PCI DSS v4.0.1

Detailed review of every applicable PCI DSS requirement, control by control, with evidence sampling. Output is a remediation roadmap before any formal attestation begins.

03

Remediation Support

Hands-on support on the requirements where most organisations fall short: encryption, MFA, logging, vulnerability management, segmentation, and the new v4.0.1 controls around e-skimming and software supply chain.

04

Segmentation Testing

Independent segmentation testing where in scope, proving the boundaries you rely on for scope reduction actually hold.

05

Formal Assessment (ROC / SAQ)

QSA-aligned formal assessment producing the Report on Compliance (ROC) for Level 1 merchants and service providers, or Self-Assessment Questionnaire (SAQ) support for lower levels.

06

AOC and Submission Support

Attestation of Compliance preparation and acquirer/customer submission support. We handle the formal artefacts so your team focuses on the business.

07

Annual Refresh

Annual reassessment with retained evidence base, so subsequent years are materially cheaper than year one. Quarterly review meetings keep posture fresh between assessments.

08

Incident Response Standby

Pre-arranged incident response for in-scope environments, with acquirer notification handling under card brand rules and forensic capability when required.

Most clients complete first-year ROC in 12 to 16 weeks. SAQ engagements compress to 4 to 8 weeks. Annual refresh is materially cheaper than year one once the evidence base is mature.

What you receive

Every PCI DSS engagement delivers:

  • QSA-aligned scoping and segmentation document
  • Formal ROC or SAQ, depending on level
  • Attestation of Compliance (AOC) acquirer-shareable
  • Gap remediation roadmap with effort estimates
  • PCI DSS v4.0.1 specific evidence (e-skimming, supply chain)
  • Customer-facing compliance summary
  • Evidence reuse mapping to ISO 27001 and SOC 2
  • Annual refresh option with retained evidence base

Industries We Serve

We deliver this service across these industries:

Payment Service Providers
E-commerce Merchants
Banks & Acquirers
Retail
Hospitality
Payment Tech
Logistics
Marketplaces

Why RedSecLabs for PCI DSS in the United States

PCI DSS in the United States demands more than methodology, it demands a partner who understands the acquirer relationships and operating realities of payment businesses in your market. We have delivered PCI DSS engagements across multiple jurisdictions and bring the QSA-grade rigour to every engagement, scaled to your merchant level rather than imposed wholesale.

PCI DSS v4.0.1 QSA-aligned
CREST member company
Acquirer-facing AOC delivery
Evidence reuse with ISO 27001 and SOC 2
Senior QSA-aligned assessors only
Fixed-fee, no surprise invoices

Speak to a PCI DSS specialist for the United States

Book a 30-minute scoping call. We will confirm your merchant level, in-scope channels, and quote a fixed annual fee within 48 hours.

Book a Scoping Call Contact Us

Where to next

Related services and industry packages worth exploring.

PCI DSS master

PCI DSS UK

PCI DSS Saudi Arabia

E-commerce & Retail package
Related reading

From the RedSecLabs research blog

From the blog

PCI DSS SAQ vs ROC

SAQ vs ROC explained.

Read on the RedSecLabs blog
From the blog

PCI DSS 4.0.1 Compliance Guide

PCI DSS 4.0.1 changes and deadlines.

Read on the RedSecLabs blog

Frequently Asked Questions

Yes. We deliver PCI DSS to merchants, payment service providers and acquirers based in the United States, regardless of where their data is processed or stored. Engagements are scoped to your operational reality, your acquirer expectations, and the local regulatory context.

PCI DSS v4.0.1, the current version. Where you are mid-cycle and need bridging work to move from v3.2.1 to v4.0.1, we cover that as part of the engagement.

Yes. Level 1 merchants and qualifying service providers requiring annual ROC are a core engagement type. Our methodology is QSA-aligned throughout, with the formal report quality acquirers and card brands expect.

Almost always, yes. Most organisations carry PCI DSS scope that has crept over time. We start with scoping and cardholder data discovery, and a well-executed scoping exercise typically reduces ongoing PCI DSS effort by 30-60% versus the previous year. The scoping work alone often pays for itself.

Yes. Submission of the AOC to your acquirer, response to follow-up questions, and any further evidence requests from the acquirer or card brands are handled by us alongside the technical assessment.

Engagements are scoped to your merchant level, payment channels in scope, and the technology stack handling cardholder data. We confirm fixed-fee scope within 48 hours of a scoping call. Annual refresh is materially cheaper than year one once we have your evidence base.
Before you decide
Download a sample report
A redacted RedSecLabs penetration test report. See the format, depth, and clarity your team will receive.
Talk to us
Book a scoping call
A 30-minute call covers realistic effort, timeline, and a fixed-scope quote. CREST-aligned methodology, UK-based testers.
What you receive

Every engagement includes

  • Scoping call. A 30-minute call to define scope, timeline, and authorisation boundaries.
  • Test plan. Written test plan covering targets, methodology, and rules of engagement.
  • Technical report. Detailed findings with reproduction steps, evidence, and remediation guidance.
  • Executive summary. Board-ready summary with risk ratings and business impact.
  • Audit-ready evidence. Findings letter formatted for auditors, customers, and supervisory authorities.
  • Retest letter. Free retest of remediated findings within agreed window. Confirmation letter included.
  • Remediation call. A call with our lead tester to walk through findings and remediation strategy.
How we deliver

Our process, end to end

  1. 1
    Scoping call & fixed-scope quote
    A 30-minute call. We define scope, targets, timeline. You get a fixed-scope quote within one working day.
  2. 2
    Test plan & authorisation
    Written test plan covering methodology, targets, and rules of engagement.
  3. 3
    CREST-aligned execution
    Senior tester runs the engagement. Critical findings flagged immediately during testing.
  4. 4
    Technical + executive report
    Detailed technical findings with reproduction steps. Board-ready executive summary.
  5. 5
    Remediation call & retest
    Walkthrough with our lead tester. Retest of remediated findings within the agreed window.
Engagement scope

What shapes the quote

Small scope
Focused scope, smaller surface. 5-7 working days.
Medium scope
Multi-role, several integrations. 8-12 working days.
Enterprise scope
Complex environment, compliance evidence. 12-25 working days.
Fixed-scope quote within 1 working day
No surprise invoices. We commit to a number before you commit to us.
📞 Call us Book a call