Global Fintech Payment Processor: Multi-Entity PCI DSS Assessment Across UAE and India
A global fintech payment processor operating regulated entities in the UAE and India was running two disconnected PCI DSS efforts — separate assessors, duplicated evidence, and conflicting interpretations of shared controls. This engagement consolidated both entities under a single CEMEA assessment model delivered from CyberSigma’s Dubai and India teams.
Client Overview
The client is a global fintech payment processor serving banks and merchants across CEMEA, with processing entities in the UAE and India sharing a common technology platform. The regulatory drivers were annual PCI DSS validation for both entities plus UAE central-bank licensing expectations; scope covered the shared processing platform, both regional datacentres, and entity-specific payment channels.
- Industry: Fintech / Payment Processing (global, multi-entity)
- Region: UAE + India (CEMEA)
- Regulatory driver: Annual PCI DSS validation per entity; UAE licensing expectations
- Timeline: One assessment cycle to unify; ~10 weeks of prep versus months previously
- CyberSigma team: Lead QSA (Dubai), lead QSA (India), shared-controls consultant, evidence manager
Challenge
Two entities on one platform were being assessed as if they were unrelated companies. Shared controls were evidenced twice, assessed twice, and sometimes judged differently — audit preparation consumed months of engineering time every year.
- Duplicate evidence collection for controls operated once on the shared platform
- Inconsistent control interpretations between previous assessors in each country
- Audit-prep effort measured in months per entity, hitting the same platform teams twice
- Cross-border evidence handling requirements between UAE and India entities
- Assessment calendars that collided with product release freezes
Objectives
- Unify both entities under one assessment methodology and one QSA relationship
- Build a shared-controls matrix so platform controls are evidenced once and inherited
- Cut audit-preparation time from months to weeks
- Keep entity-level RoCs aligned with each regulator’s expectations
- Establish a single annual assessment calendar across CEMEA
Our Approach
1. Entity & Platform Scoping
We mapped which controls were operated centrally on the shared platform versus locally per entity, producing a responsibility matrix that both entities and the assessment could rely on.
2. Unified Evidence Model
A shared evidence library was built with one artefact per platform control, tagged for inheritance by each entity, with entity-specific evidence limited to genuinely local controls.
3. Harmonised Control Interpretation
Conflicting historical interpretations (key management, MFA boundaries, scan cadence) were resolved into a single documented position applied consistently across both RoCs.
4. Coordinated Dual-Entity Assessment
Dubai- and India-based assessment teams ran interviews and testing in one coordinated window, sharing platform-control results so the same engineers were not interviewed twice.
5. Sustain & Annual Calendar
A rolling evidence-refresh calendar replaced the annual scramble, spreading collection across quarters and keeping both entities continuously assessment-ready.
Solution
- Shared-controls responsibility matrix separating platform controls from entity-local controls
- Single evidence library with inheritance tagging across both entities
- Harmonised control interpretations documented once and applied to both RoCs
- Coordinated dual-entity QSA assessment executed in one window from Dubai and India
- Rolling quarterly evidence-refresh calendar for continuous readiness
Results
- Audit-preparation time cut from months to roughly 10 weeks across both entities
- Platform controls evidenced once instead of twice, removing duplicate engineering effort
- Both entity RoCs completed in a single coordinated assessment window
- Consistent control interpretations eliminated cross-entity findings disputes
- Annual assessment now runs on a predictable CEMEA-wide calendar
Liked the case study? Share on:



