Resource Hub · PCI DSS
PCI DSS Compliance — The Complete Hub
Card-payment security from scoping to QSA sign-off: v4.0.1, SAQ vs ROC, scope reduction, PIN and payment-ecosystem audits.
PCI DSS applies to every organisation that stores, processes or transmits cardholder data — merchants, PSPs, gateways, acquirers and issuers. Version 4.0.1 raises the bar on authentication, encryption and continuous evidence, and acquirers are enforcing timelines.
This hub organises CyberSigma's PCI content — from beginner explainers to QSA-level audit guidance — into one path, delivered by PCI QSA-authorized senior assessors.
Who this applies to
- Merchants (online and in-store), payment service providers, aggregators, gateways and acquirers.
- Fintechs embedding card flows; SaaS platforms touching cardholder data.
- Banks and issuers running card programs, PIN and 3DS environments.
- Triggers: acquiring-bank mandate, v4.0.1 deadline, new payment product, audit lapse, breach exposure.
The compliance journey
- 1. Understand the standard — read the guide PCI DSS v4.0.1 in plain language.
- 2. Determine your level & instrument — read the guide SAQ or ROC — what applies to you.
- 3. Scope and reduce — read the guide Cut assessment cost with tokenization and segmentation.
- 4. Assess your gaps — read the guide Self-check before the QSA arrives.
- 5. QSA assessment & attestation — read the guide Remediate, evidence and complete the audit.
Everything in this cluster
Learn
Compare
Prepare
Tools & assessments
Frequently asked questions
Do we need a QSA or can we self-assess?
It depends on your merchant/service-provider level and your acquirer's demands. Lower volumes may use an SAQ; higher levels and most service providers need a QSA-led ROC.
What changed in PCI DSS v4.0.1?
Stronger authentication (MFA everywhere in scope), stricter encryption and key management, targeted risk analyses, and a shift toward continuous evidence rather than annual snapshots.
How can we reduce PCI scope?
Tokenization, network segmentation, P2PE and outsourcing card flows to validated providers can dramatically shrink the environment a QSA must assess — often the biggest cost lever.
Is CyberSigma QSA-authorized?
Yes — PCI QSA authorized with senior assessors across CEMEA, APAC and the US, delivering scoping, readiness, remediation support and the final assessment.
Talk to a senior auditor
Scoping within 48 hours — CERT-In empanelled, PCI QSA authorized, never junior testers.
