PCI DSS is the payment-card industry security standard (v4.0 current) that applies to anyone who stores, processes, or transmits cardholder data.
Merchants, SaaS, and fintech that touch payment-card data. Scope and validation depend on your transaction volume and how you handle card data.
The core of what PCI DSS asks you to put in place.
Depends heavily on scope. A Self-Assessment Questionnaire can be quick once controls are in place; a Level 1 Report on Compliance with a QSA is a multi-month engagement, validated annually.
We scope your cardholder-data environment, reduce PCI scope through segmentation and tokenization, implement the v4.0 requirements, and prepare you for the right SAQ or a QSA-led Level 1 assessment.
See Security and Compliance, or compare estimated PCI DSS cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.
Anyone that stores, processes, or transmits cardholder data. Your merchant level and validation method depend on annual transaction volume.
Version 4.0 is the current standard, with v3.2.1 retired and the v4.0 requirements now in force.
Not always. Lower-volume merchants can validate with a Self-Assessment Questionnaire; Level 1 merchants generally need a Qualified Security Assessor Report on Compliance.
Outsource card handling to compliant processors, tokenize, and segment your cardholder-data environment so fewer systems are in scope.
No. It is a contractual standard set by the payment card brands, enforced through your acquirer and payment processors.
Book a free discovery call. We will tell you whether PCI DSS fits, what it would take, and roughly what it would cost.