We use essential cookies to run this site. Analytics & marketing cookies load only with your consent — see our Cookie Policy and Privacy Policy.

Large E-Commerce Marketplace case study hero background

Large E-Commerce Marketplace: First-Time PCI DSS Certification: 120 Gaps Closed in 6 Months

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhaar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

Large E-Commerce Marketplace: First-Time PCI DSS Certification: 120 Gaps Closed in 6 Months

A large e-commerce marketplace serving millions of Indian customers had grown its payment stack organically — and had never been formally assessed against PCI DSS. When transaction volumes pushed it past self-assessment thresholds, the business needed a first-time certification on a bank-imposed deadline. This engagement covers the full SAQ-to-RoC journey.

Client Overview

The client is a large e-commerce marketplace operating across India with web and mobile storefronts, in-house order management, and integrations to multiple payment aggregators. The regulatory driver was acquiring-bank escalation: rising transaction volumes moved the merchant from SAQ eligibility toward a full QSA-assessed Report on Compliance. Scope covered the checkout and payment services, supporting infrastructure in cloud and one datacentre, and the customer-support systems that touched payment references.

  • Industry: E-Commerce / Marketplace (large enterprise)
  • Region: India
  • Regulatory driver: Acquirer mandate — SAQ to QSA-assessed RoC
  • Timeline: 6 months, gap assessment to validated RoC
  • CyberSigma team: Lead QSA, two PCI consultants, application security tester, remediation programme manager

Challenge

The first structured gap assessment surfaced roughly 120 gaps across the twelve PCI DSS requirement families — from missing encryption and logging to absent policies and untested incident response — all to be closed inside a six-month bank deadline.

  • ~120 gaps identified across all twelve PCI DSS requirement areas
  • No prior formal assessment: policies, network diagrams, and asset inventories did not exist
  • Cardholder data references present in customer-support and marketing systems
  • Engineering teams fully loaded on product roadmap, with no dedicated security function
  • Fixed acquirer deadline with escalation consequences for missing it

Objectives

  • Close all identified gaps within the six-month window
  • Confine payment flows so most of the marketplace platform stays out of scope
  • Build the missing documentation set: policies, diagrams, inventories, and procedures
  • Stand up recurring operational controls (scanning, log review, access recertification)
  • Complete first-time QSA assessment through RoC and AoC

Our Approach

1. Gap Assessment & Remediation Roadmap

A requirement-by-requirement assessment produced a prioritised backlog of ~120 gaps, sequenced into monthly waves by risk and dependency, with a named owner and target date for each item.

2. Scope Containment

Checkout was refactored to hand off card entry to aggregator-hosted fields, and support tooling was stripped of raw payment data — shrinking the environment the assessment had to cover.

3. Technical Remediation Waves

Segmentation, encryption in transit and at rest, MFA, centralised logging, and hardening baselines were deployed in tracked monthly waves with retesting after each.

4. Governance & Documentation Build-Out

The full documentation layer — security policies, network and data-flow diagrams, asset inventory, incident response plan with a tabletop exercise — was created and operationalised, not just written.

5. QSA Assessment & Certification

With gaps closed and evidence staged, the QSA assessment ran interviews and control testing, and the marketplace received its first validated Report on Compliance ahead of the bank deadline.

Solution

  • Prioritised remediation backlog of ~120 gaps sequenced into monthly delivery waves
  • Checkout re-architecture using aggregator-hosted card capture to contain scope
  • Technical control deployment: segmentation, encryption, MFA, logging, hardening baselines
  • Complete governance layer: policies, diagrams, inventories, and a tested incident response plan
  • First-time QSA assessment coordinated through RoC and AoC issuance

Results

  • Approximately 120 gaps closed within the 6-month programme window
  • First-time PCI DSS Report on Compliance validated ahead of the acquirer deadline
  • Assessed scope contained to payment services rather than the whole marketplace platform
  • Recurring control operations (scans, log review, access reviews) running on schedule
  • Documentation and evidence base established for annual revalidation
CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205