Large Indian Payment Gateway: PCI DSS v4.0 with 35% CDE Scope Reduction and Zero Major Findings
One of India's largest payment gateways — processing card transactions for thousands of merchants across web, app, and API channels — needed to transition from PCI DSS v3.2.1 to v4.0 while its infrastructure footprint kept growing. This engagement shows how disciplined scoping, tokenization, and segmentation turned an expanding assessment into a smaller, cleaner one, validated with zero major findings.
Client Overview
The client is one of India's largest payment gateways, operating multi-datacentre and cloud infrastructure across India and serving merchants nationwide. The regulatory driver was the mandatory PCI DSS v4.0 transition combined with acquirer and network (card scheme) obligations; the engagement covered the full cardholder data environment across two datacentres and a public-cloud footprint.
- Industry: Payments / Payment Gateway (large enterprise)
- Region: India (multi-datacentre + cloud)
- Regulatory driver: PCI DSS v4.0 transition; acquirer and card-scheme mandates
- Timeline: ~7 months from scoping to validated RoC
- CyberSigma team: Lead QSA, two PCI consultants, network security architect, VAPT team
Challenge
Years of product growth had let cardholder data touch far more systems than necessary: merchant dashboards, reconciliation jobs, support tooling, and analytics pipelines were all in scope. A v4.0 assessment across the full estate would have been slow, costly, and high-risk.
- Cardholder data flows spread across payment, reconciliation, support, and analytics systems
- Flat network zones pulling non-payment systems into PCI scope
- New v4.0 requirements (targeted risk analyses, authenticated scanning, expanded MFA) not yet operationalised
- Assessment window fixed by acquirer and card-scheme deadlines
- Prior assessments had grown longer each year as scope expanded
Objectives
- Reduce the assessed CDE materially before the v4.0 assessment began
- Design and validate network segmentation between CDE and corporate zones
- Replace stored PANs with tokens wherever business processes allowed
- Complete the full PCI DSS v4.0 QSA assessment on the acquirer timeline
- Target zero major findings at validation
Our Approach
1. Data Discovery & Scope Definition
Automated PAN discovery plus data-flow workshops across payment, reconciliation, support, and analytics teams produced a verified inventory of every system that stored, processed, or transmitted cardholder data — and, critically, the list of systems that did not need to.
2. Tokenization & Descoping
Reconciliation, support, and analytics workflows were migrated to tokenized references so full PANs were confined to the core payment switch and vault. Legacy PAN stores were purged under documented retention decisions.
3. Network Segmentation & Validation
The CDE was isolated behind dedicated firewall zones with tightly defined rule sets; segmentation penetration testing confirmed non-CDE zones could not reach cardholder data, formally removing them from assessment scope.
4. v4.0 Control Uplift
New v4.0 obligations — targeted risk analyses, expanded MFA coverage, authenticated internal scanning, and payment-page script controls — were implemented with named control owners and evidence templates.
5. QSA Assessment & Validation
The QSA assessment ran against the reduced environment with pre-staged evidence packs per requirement family, interviews scheduled by control owner, and remediation of minor observations tracked to closure before sign-off.
Solution
- Verified cardholder data inventory and data-flow maps across all business functions
- Tokenization rollout that confined full PANs to the core payment switch and vault
- Segmentation architecture with penetration-test validation formally descoping non-payment zones
- PCI DSS v4.0 control uplift with named owners, targeted risk analyses, and evidence packs
- Full QSA assessment through Report on Compliance and Attestation of Compliance
Results
- Assessed CDE scope reduced by approximately 35% before the assessment began
- Zero major findings at PCI DSS v4.0 validation
- RoC and AoC delivered within the acquirer deadline (~7-month programme)
- Assessment effort and evidence volume reduced against the prior cycle despite the v4.0 transition
- Repeatable scoping and evidence model in place for annual revalidation
Liked the case study? Share on:



