We use essential cookies to run this site. Analytics & marketing cookies load only with your consent — see our Cookie Policy and Privacy Policy.

Global Fintech Payment Processor case study hero background

Global Fintech Payment Processor: Multi-Entity PCI DSS Assessment Across UAE and India

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhaar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

Global Fintech Payment Processor: Multi-Entity PCI DSS Assessment Across UAE and India

A global fintech payment processor operating regulated entities in the UAE and India was running two disconnected PCI DSS efforts — separate assessors, duplicated evidence, and conflicting interpretations of shared controls. This engagement consolidated both entities under a single CEMEA assessment model delivered from CyberSigma’s Dubai and India teams.

Client Overview

The client is a global fintech payment processor serving banks and merchants across CEMEA, with processing entities in the UAE and India sharing a common technology platform. The regulatory drivers were annual PCI DSS validation for both entities plus UAE central-bank licensing expectations; scope covered the shared processing platform, both regional datacentres, and entity-specific payment channels.

  • Industry: Fintech / Payment Processing (global, multi-entity)
  • Region: UAE + India (CEMEA)
  • Regulatory driver: Annual PCI DSS validation per entity; UAE licensing expectations
  • Timeline: One assessment cycle to unify; ~10 weeks of prep versus months previously
  • CyberSigma team: Lead QSA (Dubai), lead QSA (India), shared-controls consultant, evidence manager

Challenge

Two entities on one platform were being assessed as if they were unrelated companies. Shared controls were evidenced twice, assessed twice, and sometimes judged differently — audit preparation consumed months of engineering time every year.

  • Duplicate evidence collection for controls operated once on the shared platform
  • Inconsistent control interpretations between previous assessors in each country
  • Audit-prep effort measured in months per entity, hitting the same platform teams twice
  • Cross-border evidence handling requirements between UAE and India entities
  • Assessment calendars that collided with product release freezes

Objectives

  • Unify both entities under one assessment methodology and one QSA relationship
  • Build a shared-controls matrix so platform controls are evidenced once and inherited
  • Cut audit-preparation time from months to weeks
  • Keep entity-level RoCs aligned with each regulator’s expectations
  • Establish a single annual assessment calendar across CEMEA

Our Approach

1. Entity & Platform Scoping

We mapped which controls were operated centrally on the shared platform versus locally per entity, producing a responsibility matrix that both entities and the assessment could rely on.

2. Unified Evidence Model

A shared evidence library was built with one artefact per platform control, tagged for inheritance by each entity, with entity-specific evidence limited to genuinely local controls.

3. Harmonised Control Interpretation

Conflicting historical interpretations (key management, MFA boundaries, scan cadence) were resolved into a single documented position applied consistently across both RoCs.

4. Coordinated Dual-Entity Assessment

Dubai- and India-based assessment teams ran interviews and testing in one coordinated window, sharing platform-control results so the same engineers were not interviewed twice.

5. Sustain & Annual Calendar

A rolling evidence-refresh calendar replaced the annual scramble, spreading collection across quarters and keeping both entities continuously assessment-ready.

Solution

  • Shared-controls responsibility matrix separating platform controls from entity-local controls
  • Single evidence library with inheritance tagging across both entities
  • Harmonised control interpretations documented once and applied to both RoCs
  • Coordinated dual-entity QSA assessment executed in one window from Dubai and India
  • Rolling quarterly evidence-refresh calendar for continuous readiness

Results

  • Audit-preparation time cut from months to roughly 10 weeks across both entities
  • Platform controls evidenced once instead of twice, removing duplicate engineering effort
  • Both entity RoCs completed in a single coordinated assessment window
  • Consistent control interpretations eliminated cross-entity findings disputes
  • Annual assessment now runs on a predictable CEMEA-wide calendar
CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205