Large E-Commerce Marketplace: First-Time PCI DSS Certification: 120 Gaps Closed in 6 Months
A large e-commerce marketplace serving millions of Indian customers had grown its payment stack organically — and had never been formally assessed against PCI DSS. When transaction volumes pushed it past self-assessment thresholds, the business needed a first-time certification on a bank-imposed deadline. This engagement covers the full SAQ-to-RoC journey.
Client Overview
The client is a large e-commerce marketplace operating across India with web and mobile storefronts, in-house order management, and integrations to multiple payment aggregators. The regulatory driver was acquiring-bank escalation: rising transaction volumes moved the merchant from SAQ eligibility toward a full QSA-assessed Report on Compliance. Scope covered the checkout and payment services, supporting infrastructure in cloud and one datacentre, and the customer-support systems that touched payment references.
- Industry: E-Commerce / Marketplace (large enterprise)
- Region: India
- Regulatory driver: Acquirer mandate — SAQ to QSA-assessed RoC
- Timeline: 6 months, gap assessment to validated RoC
- CyberSigma team: Lead QSA, two PCI consultants, application security tester, remediation programme manager
Challenge
The first structured gap assessment surfaced roughly 120 gaps across the twelve PCI DSS requirement families — from missing encryption and logging to absent policies and untested incident response — all to be closed inside a six-month bank deadline.
- ~120 gaps identified across all twelve PCI DSS requirement areas
- No prior formal assessment: policies, network diagrams, and asset inventories did not exist
- Cardholder data references present in customer-support and marketing systems
- Engineering teams fully loaded on product roadmap, with no dedicated security function
- Fixed acquirer deadline with escalation consequences for missing it
Objectives
- Close all identified gaps within the six-month window
- Confine payment flows so most of the marketplace platform stays out of scope
- Build the missing documentation set: policies, diagrams, inventories, and procedures
- Stand up recurring operational controls (scanning, log review, access recertification)
- Complete first-time QSA assessment through RoC and AoC
Our Approach
1. Gap Assessment & Remediation Roadmap
A requirement-by-requirement assessment produced a prioritised backlog of ~120 gaps, sequenced into monthly waves by risk and dependency, with a named owner and target date for each item.
2. Scope Containment
Checkout was refactored to hand off card entry to aggregator-hosted fields, and support tooling was stripped of raw payment data — shrinking the environment the assessment had to cover.
3. Technical Remediation Waves
Segmentation, encryption in transit and at rest, MFA, centralised logging, and hardening baselines were deployed in tracked monthly waves with retesting after each.
4. Governance & Documentation Build-Out
The full documentation layer — security policies, network and data-flow diagrams, asset inventory, incident response plan with a tabletop exercise — was created and operationalised, not just written.
5. QSA Assessment & Certification
With gaps closed and evidence staged, the QSA assessment ran interviews and control testing, and the marketplace received its first validated Report on Compliance ahead of the bank deadline.
Solution
- Prioritised remediation backlog of ~120 gaps sequenced into monthly delivery waves
- Checkout re-architecture using aggregator-hosted card capture to contain scope
- Technical control deployment: segmentation, encryption, MFA, logging, hardening baselines
- Complete governance layer: policies, diagrams, inventories, and a tested incident response plan
- First-time QSA assessment coordinated through RoC and AoC issuance
Results
- Approximately 120 gaps closed within the 6-month programme window
- First-time PCI DSS Report on Compliance validated ahead of the acquirer deadline
- Assessed scope contained to payment services rather than the whole marketplace platform
- Recurring control operations (scans, log review, access reviews) running on schedule
- Documentation and evidence base established for annual revalidation
Liked the case study? Share on:



