60%
Compliance Scope
Reduction
12
Core requirements
4
Merchant compliance levels
Quarterly
ASV scans required
Annual
Penetration test required
Scoping & Cardholder Data Environment Definition
Most organizations dramatically overestimate their PCI scope, paying to comply with requirements that do not apply, or underestimate it, leaving cardholder data exposed in systems nobody thought were in scope. Either way, the consequences are significant. We map exactly where card data lives and flows in your environment, define your Cardholder Data Environment accurately, and apply network segmentation to reduce scope to only what truly needs to be there. Smaller scope means lower cost to comply and less surface area to defend.
Gap Assessment Against PCI DSS Requirements
PCI DSS v4.0 has over 250 individual requirements. Most organizations have more gaps than they expect, and the ones that get missed in self-assessments are usually the ones that cause failures during formal review. We assess your environment against every applicable requirement, document each gap with its requirement reference and current state, and deliver a prioritized remediation roadmap, so you fix the right things first, not the easiest ones.
Control Implementation & Remediation Support
Knowing what is required and actually having it in place are two different things. We implement the technical and operational controls your gap assessment identifies, network segmentation, access controls, encryption, audit logging, vulnerability management, and security testing, in a way that fits your existing payment operations rather than disrupting them. Every control is implemented to be sustainable, not just present for the assessment window.
Policy & Documentation Development
QSAs and SAQ reviewers do not just check whether controls exist, they check whether your team can prove they are followed consistently. Missing or outdated documentation is one of the most common reasons organizations fail pre-assessments even when their technical controls are largely in place. We build the security policies, operational procedures, and evidence packages each requirement needs, written in plain language your team will actually use, not boilerplate nobody reads.
SAQ Completion & QSA Assessment Support
Choosing the wrong SAQ type, or going into a QSA assessment without a complete evidence package, is an expensive mistake. We determine your correct validation path based on transaction volumes and processing methods, prepare all supporting evidence, and work alongside you through the SAQ or QSA process so there are no surprises. If a finding comes up during assessment, we help you respond and remediate without losing momentum.
Ongoing Compliance Maintenance
The majority of organizations that achieve PCI certification let their compliance lapse within 12 months, missing quarterly scans, skipping annual pen tests, or letting policies drift from actual practice. When the next assessment arrives, they are starting over. We manage your ongoing compliance calendar: quarterly vulnerability scans, annual penetration testing, policy reviews, and assessment preparation, so your certification stays valid year-round without your team having to track it.
Understanding PCI DSS
What every organization handling card data needs to know
What is PCI DSS?
The Payment Card Industry Data Security Standard is a set of security requirements developed by Visa, Mastercard, Amex, and Discover to protect cardholder data and reduce payment fraud. The current version, PCI DSS v4.0, contains 12 core requirements and over 250 individual controls covering network security, access management, encryption, monitoring, and testing.
Who does it apply to?
PCI DSS applies to any organization that processes, stores, or transmits cardholder data, regardless of size or transaction volume. This includes retailers, e-commerce platforms, SaaS companies that handle billing, payment processors, and service providers whose systems touch cardholder data environments. Your acquiring bank or card brand determines your specific validation requirements.
Why does it matter?
Non-compliance or a breach can result in fines of $5,000 to $100,000 per month from card brands, mandatory forensic investigations at your expense, and ultimately the loss of your ability to accept card payments. Beyond the financial penalties, a cardholder data breach triggers notification obligations, customer lawsuits, and reputational damage that affects every future transaction.
How do you comply?
Compliance starts with accurately defining your Cardholder Data Environment and applying segmentation to minimize scope. From there, you assess gaps against all applicable requirements, implement the controls needed to close them, build supporting documentation, and validate through either a Self-Assessment Questionnaire or a formal QSA assessment, then maintain that status year-round.
What Makes Us Different From Others
- Scoping Expertise That Reduces Burden Overscoped PCI DSS programs waste resources and create ongoing compliance overhead. We get scoping right from the start so your compliance effort is focused on what actually needs to be protected.
- Aligned to PCI DSS v4.0 We implement against the current version of the standard, including the new customized approach that allows organizations to demonstrate equivalent security outcomes rather than prescriptive control implementations.
- Practical Remediation Guidance Our gap assessments come with specific, implementable remediation steps rather than generic recommendations that leave your team to figure out how to actually fix things.
- Segmentation That Works Network segmentation is one of the most effective ways to reduce PCI DSS scope. We design and validate segmentation controls that genuinely isolate cardholder data from out-of-scope systems.
- End-to-End Validation Support Whether you are completing an SAQ independently or working through a full QSA engagement, we support you through the entire validation process so you enter each stage prepared.
- Continuity Between Annual Cycles Many organizations treat PCI DSS as a once-a-year scramble. We build compliance into your ongoing operations so the annual validation is a confirmation of what you already know rather than a discovery exercise.
We failed our first QSA pre-assessment and were at risk of losing our ability to process cards. garrisonOne scoped our cardholder data environment correctly: which cut our compliance scope by over 60%: implemented the required controls, and got us through formal assessment within four months.
Client results
See how we have helped
Retail
E-Commerce — PCI DSS Penetration Test
Pre-PCI DSS audit penetration test uncovered critical vulnerabilities in the payment processing environment. All findings remediated before the QSA assessment.
Critical
Findings remediated
PCI DSS
Audit passed
0
Post-test failures
Industry focus
Industries we serve
Related Services: Financial Services Cybersecurity | Penetration Testing | Vulnerability Assessment | All Compliance Services
Frequently asked questions
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security requirements developed by the major card brands to protect cardholder data and reduce payment card fraud. Any organization that processes, stores, or transmits cardholder data must comply with PCI DSS, regardless of size or transaction volume.
What is a Cardholder Data Environment?
The Cardholder Data Environment, or CDE, is the set of people, processes, and technology that stores, processes, or transmits cardholder data or sensitive authentication data, or that is connected to such systems. All PCI DSS requirements apply to the CDE. Accurate scoping of the CDE is critical because it defines the full extent of your compliance obligations.
How do I know which SAQ applies to us?
The applicable Self-Assessment Questionnaire depends on how your organization processes payments, specifically whether you accept card-present or card-not-present transactions, whether you use a third-party payment processor, and how cardholder data flows through your systems. There are several SAQ types, and selecting the wrong one is a common mistake. We help you identify the correct SAQ for your processing model.
What changed in PCI DSS v4.0?
PCI DSS v4.0 introduced a customized approach that allows organizations to meet the intent of requirements through alternative controls rather than following prescriptive implementation guidance. It also added new requirements around targeted risk analysis, multi-factor authentication, and e-commerce security. Organizations are now required to validate against v4.0.
What happens if we fail a PCI DSS assessment?
A failed assessment results in a non-compliance finding that must be reported to your acquiring bank and payment brands. Consequences can include increased transaction fees, mandatory remediation programs, additional monitoring requirements, and ultimately the loss of the ability to process payment cards. We help organizations achieve and maintain compliance to avoid reaching this point.
Can network segmentation reduce our PCI DSS scope?
Yes. Properly implemented network segmentation that isolates cardholder data systems from out-of-scope systems can significantly reduce your compliance scope. PCI DSS does not require segmentation, but when implemented correctly it reduces the number of systems subject to PCI DSS requirements, which lowers both compliance cost and audit complexity.
How often must PCI DSS compliance be validated?
PCI DSS compliance must be validated annually. In addition to the annual assessment, there are ongoing requirements including quarterly internal vulnerability scans, quarterly external vulnerability scans by an Approved Scanning Vendor, and annual penetration testing. Compliance is an ongoing program, not a single annual event.
Do we need a Qualified Security Assessor?
A QSA is required for organizations that must produce a Report on Compliance, typically Level 1 merchants and service providers meeting certain transaction volume thresholds. Lower-level merchants and service providers may be able to validate through a Self-Assessment Questionnaire without a QSA. We help you determine the correct validation path and prepare you for whichever process applies.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
