We use essential cookies to run this site. Analytics & marketing cookies load only with your consent — see our Cookie Policy and Privacy Policy.

Large Indian Payment Gateway case study hero background

Large Indian Payment Gateway: PCI DSS v4.0 with 35% CDE Scope Reduction and Zero Major Findings

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhaar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

Large Indian Payment Gateway: PCI DSS v4.0 with 35% CDE Scope Reduction and Zero Major Findings

One of India's largest payment gateways — processing card transactions for thousands of merchants across web, app, and API channels — needed to transition from PCI DSS v3.2.1 to v4.0 while its infrastructure footprint kept growing. This engagement shows how disciplined scoping, tokenization, and segmentation turned an expanding assessment into a smaller, cleaner one, validated with zero major findings.

Client Overview

The client is one of India's largest payment gateways, operating multi-datacentre and cloud infrastructure across India and serving merchants nationwide. The regulatory driver was the mandatory PCI DSS v4.0 transition combined with acquirer and network (card scheme) obligations; the engagement covered the full cardholder data environment across two datacentres and a public-cloud footprint.

  • Industry: Payments / Payment Gateway (large enterprise)
  • Region: India (multi-datacentre + cloud)
  • Regulatory driver: PCI DSS v4.0 transition; acquirer and card-scheme mandates
  • Timeline: ~7 months from scoping to validated RoC
  • CyberSigma team: Lead QSA, two PCI consultants, network security architect, VAPT team

Challenge

Years of product growth had let cardholder data touch far more systems than necessary: merchant dashboards, reconciliation jobs, support tooling, and analytics pipelines were all in scope. A v4.0 assessment across the full estate would have been slow, costly, and high-risk.

  • Cardholder data flows spread across payment, reconciliation, support, and analytics systems
  • Flat network zones pulling non-payment systems into PCI scope
  • New v4.0 requirements (targeted risk analyses, authenticated scanning, expanded MFA) not yet operationalised
  • Assessment window fixed by acquirer and card-scheme deadlines
  • Prior assessments had grown longer each year as scope expanded

Objectives

  • Reduce the assessed CDE materially before the v4.0 assessment began
  • Design and validate network segmentation between CDE and corporate zones
  • Replace stored PANs with tokens wherever business processes allowed
  • Complete the full PCI DSS v4.0 QSA assessment on the acquirer timeline
  • Target zero major findings at validation

Our Approach

1. Data Discovery & Scope Definition

Automated PAN discovery plus data-flow workshops across payment, reconciliation, support, and analytics teams produced a verified inventory of every system that stored, processed, or transmitted cardholder data — and, critically, the list of systems that did not need to.

2. Tokenization & Descoping

Reconciliation, support, and analytics workflows were migrated to tokenized references so full PANs were confined to the core payment switch and vault. Legacy PAN stores were purged under documented retention decisions.

3. Network Segmentation & Validation

The CDE was isolated behind dedicated firewall zones with tightly defined rule sets; segmentation penetration testing confirmed non-CDE zones could not reach cardholder data, formally removing them from assessment scope.

4. v4.0 Control Uplift

New v4.0 obligations — targeted risk analyses, expanded MFA coverage, authenticated internal scanning, and payment-page script controls — were implemented with named control owners and evidence templates.

5. QSA Assessment & Validation

The QSA assessment ran against the reduced environment with pre-staged evidence packs per requirement family, interviews scheduled by control owner, and remediation of minor observations tracked to closure before sign-off.

Solution

  • Verified cardholder data inventory and data-flow maps across all business functions
  • Tokenization rollout that confined full PANs to the core payment switch and vault
  • Segmentation architecture with penetration-test validation formally descoping non-payment zones
  • PCI DSS v4.0 control uplift with named owners, targeted risk analyses, and evidence packs
  • Full QSA assessment through Report on Compliance and Attestation of Compliance

Results

  • Assessed CDE scope reduced by approximately 35% before the assessment began
  • Zero major findings at PCI DSS v4.0 validation
  • RoC and AoC delivered within the acquirer deadline (~7-month programme)
  • Assessment effort and evidence volume reduced against the prior cycle despite the v4.0 transition
  • Repeatable scoping and evidence model in place for annual revalidation
CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205