Any organisation handling debit or credit card data must comply with the Payment Card Industry Data Security Standard (PCI-DSS) or risk heavy fines and reputational damage.

We’ve helped businesses of all sizes achieve compliance – from initial gap analysis and SAQ reviews to tailored advice on securing processes and achieving certification. Whether you’re starting out or maintaining compliance, we can guide you every step of the way.

As independent specialists, we take a holistic view of security, covering not just IT but also physical security – a key (and often overlooked) PCI requirement. Many ISO 27001 controls align with PCI-DSS, so if you already follow ISO 27001, achieving PCI compliance may be easier than you think.

• Regular PCI-DSS assessments against the SAQ to maintain compliance
• Completion of the Annual Attestation of Compliance (AoC)
• Prioritised compliance assessments to identify gaps and remediation needs
• Physical Security Reviews (Requirement 9)
• Identification and documentation of Compensating Controls
• Ad hoc guidance and support with remediation, including one-off PCI audits
• Re-assessments after remediation is complete

Not always. Level 1 merchants must have a QSA complete a full audit. Levels 3 and 4 can self-sign their SAQs. For Level 2, it depends: some SAQ types (like A, A-EP and D under Mastercard rules) require QSA or ISA validation, while others don’t.

We’re not a QSA, but we offer independent, best-practice advice to help you choose the right SAQ, close gaps, and prepare for sign-off. Unlike many QSA firms tied to vendors, our guidance is unbiased, practical and cost-effective.