For Sales: 888-800-4644  For Support: 973-777-7227                     “YOUR TECHNOLOGY MANAGED”
PCI DSS v4.0.1 · SAQ A–D · Readiness · Evidence

PCI DSS Compliance ServicesScoping, Gap Assessment, and SAQ Readiness for Merchants and Service Providers

PCI DSS v4.0.1 readiness consulting for merchants and service providers. We map your cardholder data environment, qualify the right Self-Assessment Questionnaire (SAQ A through D), assess every Requirement against the standard including the 51 future-dated controls effective March 31, 2025, and prepare the policy library and evidence package your acquiring bank or QSA will ask for. Delivered remotely to businesses across the United States, with deepest engineering depth in Northern NJ, the NYC metro, Pennsylvania, and South Florida.

Scope My PCI EngagementCall (973) 777-7227
PCI DSS v4.0.1 aligned10 SAQ types supportedRemote delivery nationwideQSA & ASV partner network
Request a PCI DSS Scoping Call
Tell us your acquirer, transaction volume, and payment channels. We will respond with a scoped readiness proposal. We typically reply within 4 business hours.

    Your Name (required)

    Your Email (required)

    Subject

    Your Message

    Your info stays with us. No resale.


    Quick Answer

    PCI DSS compliance services help merchants and service providers meet the Payment Card Industry Data Security Standard published by the PCI Security Standards Council. On-Site Technology delivers PCI DSS v4.0.1 readiness consulting nationwide, including cardholder data environment scoping, gap assessment against the 12 core Requirements (covering the 51 future-dated controls now effective as of March 31, 2025), policy library buildout, and evidence preparation for self-assessment under SAQ A, A-EP, B, B-IP, C-VT, C, P2PE, or SAQ D. Engagements are remote-delivered to businesses across the United States, with deepest engineering capacity in Northern NJ, the NYC metro, Pennsylvania, and South Florida. We coordinate with QSA companies and ASV partners when a Report on Compliance or quarterly external scan is required; the broader security stack lives in our companion Managed Cybersecurity Services.



    v4.0.1
    Current PCI DSS
    standard release
    10
    SAQ types supported
    SAQ A through SAQ D
    100%
    Remote-delivered
    readiness U.S. nationwide
    Mar 2025
    Future-dated controls
    now effective requirements


    Six Failure Modes We See Repeatedly

    Where Most PCI DSS Programs Fail

    A signed SAQ is not a compliance program. The recurring failures are governance-driven, not technical, and acquiring banks plus card brand forensic investigators now look directly for these patterns when a breach is suspected. Each one has a fix that lives upstream of the control implementation.

    Scoping Shortcuts

    The cardholder data environment is drawn around the obvious systems and quietly omits a payroll integration, a marketing automation tool, or a Slack channel where receipts get pasted. When the forensic investigator follows the data, the omitted system becomes the breach point, the SAQ is invalidated, and the merchant moves to Level 1 ROC scope.

    Wrong SAQ Selected

    An e-commerce merchant submits SAQ A on the assumption that “Stripe handles it,” not realizing the checkout iframe loads JavaScript from a non-PCI domain and the payment page can be tampered with. The correct path is SAQ A-EP, which carries 191 controls instead of 22. SAQ self-selection without a qualifying analysis is one of the most common audit failures.

    Stale Policy Library

    Policies copied from a template four years ago, signed once, and never reconciled with how the business actually runs. PCI DSS v4.0.1 requires that policies be reviewed annually, that targeted risk analyses justify any flexibility taken, and that operational reality match the document. Auditors flag the gap on sight.

    Compensating Controls Without Justification

    A control marked “not applicable” or backed by a compensating control with no written reasoning. v4.0.1 introduced the Customized Approach and Targeted Risk Analysis precisely to formalize this; informal “we do it differently” answers fail the new standard. Every deviation needs a documented rationale, an equivalent risk position, and an annual review.

    Evidence Gathered After-the-Fact

    Quarterly ASV scan reports collected the week of audit, log retention configured to 30 days when the standard says 12 months, MFA logs missing for three of the four quarters. The standard requires a continuous evidence chain. A scramble at audit time produces gaps the auditor will quote line-by-line in the AOC.

    Treated as IT-Only

    PCI DSS spans Finance (chargebacks, accounting practices), Legal (vendor contracts and right-to-audit clauses), HR (background checks, training records), and Operations (call-center and store-floor card handling). When the program is owned by IT alone, the cross-functional Requirements (12.x) get under-evidenced and a real auditor finds them in fifteen minutes.



    Four Programmatic Foundations

    What a Real PCI DSS Program Includes

    A defensible PCI DSS posture lives in four artifacts plus a continuous evidence cadence that keeps them honest. We build all four, then teach your team to operate them so the next audit cycle is a refresh, not a rebuild.

    Defensible CDE Scoping

    A diagrammed cardholder data environment that follows the actual flow of primary account numbers, sensitive authentication data, and cardholder data, then segments out everything else. Every connected system is named. Every exclusion is justified.

    • Payment flow diagram per channel
    • System inventory with PAN exposure
    • Network segmentation evidence
    • Connected-system documentation
    • Annual scope review

    Right-Sized SAQ Selection

    A documented qualifying analysis that picks the correct Self-Assessment Questionnaire for each acceptance channel. Wrong SAQ is the most common compliance failure and the easiest to prevent with a structured eligibility check.

    • Channel-by-channel SAQ qualification
    • SAQ A vs A-EP iframe analysis
    • SAQ B vs B-IP terminal review
    • SAQ C-VT vs C virtual terminal scope
    • SAQ D fallback documentation

    Living Policy + Evidence Chain

    A 15-policy library mapped to the 12 Requirements, with named owners, annual review dates, and a continuously refreshed evidence vault that auditors can sample at any moment.

    • 15 policies aligned to 12 Requirements
    • Named owner and annual review date
    • Targeted Risk Analyses on file
    • Customized Approach Objectives where used
    • 12-month evidence retention

    Quarterly Operating Cadence

    ASV scans, internal vulnerability scans, awareness training, change management reviews, and access certifications run on a calendared cadence that produces evidence as a byproduct of operating, not a scramble at audit.

    • Quarterly ASV external scans (partner)
    • Authenticated internal vulnerability scans
    • Annual awareness training cycle
    • Quarterly access reviews
    • Continuous change-management evidence


    The OST PCI DSS Methodology

    From CDE Scope to Submitted SAQ in Five Phases

    Mapped to the PCI Security Standards Council’s prioritized approach and the v4.0.1 Customized Approach option. Phases run sequentially on first engagement, then loop annually for ongoing programs.

    1

    Discover

    Stakeholder interviews across Finance, IT, Operations, HR, and Legal. We map every payment acceptance channel, build a system inventory, and identify the steering committee before any analysis work begins.

    2

    Scope

    Cardholder data environment definition: payment flow diagrams, segmentation analysis, connected-system inventory, and the qualifying analysis that selects the right SAQ per channel. Output is the documented CDE that anchors the rest of the program.

    3

    Gap Assess

    Requirement-by-Requirement assessment against PCI DSS v4.0.1, including the 51 future-dated controls now in force. Each gap is rated by impact, effort, and risk, with a remediation owner and target date assigned. The output is the program backlog.

    4

    Remediate

    Policy library buildout, MFA across the CDE, encryption uplift to v4.0.1 standards, log retention to 12 months, change management workflows, and ASV scan coordination via partner. Targeted Risk Analyses authored where the Customized Approach is used.

    5

    Validate

    SAQ completion or QSA-led ROC support, Attestation of Compliance drafting, evidence package handoff to the acquirer, and the operating cadence that keeps the program continuously audit-ready in subsequent cycles.



    SAQ Type Guide

    Which Self-Assessment Questionnaire Applies to You?

    PCI DSS v4.0.1 publishes ten SAQ types. Picking the wrong one is the single most common compliance failure. The guide below is a directional summary; the qualifying analysis we run in Phase 2 produces the documented selection your acquirer will accept.

    Card-Not-Present & E-Commerce

    SAQ A

    Card-not-present merchants who fully outsource cardholder data acceptance to PCI DSS validated third parties. Your website redirects or hosted payment page never touches PAN. Roughly 22 controls.

    SAQ A-EP

    E-commerce merchants whose website partially controls the payment page (iframe with non-PCI scripts, or a checkout that reaches into a third-party API). Roughly 191 controls. Most Stripe and Authorize.Net implementations on a custom checkout fall here.

    SAQ B

    Merchants using only standalone dial-out terminals or imprint machines, no electronic storage of cardholder data, no internet-connected systems. Increasingly rare.

    SAQ B-IP

    Merchants using PTS-approved point-of-interaction devices that connect to payment processors over IP, with no electronic cardholder data storage on systems. Common for small retail with modern terminals.

    Card-Present & Direct-Acceptance

    SAQ C-VT

    Merchants who manually key transactions into a virtual terminal on a dedicated, isolated workstation. No electronic storage of cardholder data, no other functions on the workstation.

    SAQ C

    Merchants with payment application systems connected to the internet but no electronic cardholder data storage on the merchant systems. Common for hospitality and small healthcare clinics with integrated POS.

    SAQ P2PE

    Merchants using only PCI SSC-listed Point-to-Point Encryption solutions with hardware payment terminals. Lightest control set if a true P2PE solution is in place; the validation requirement is strict.

    SAQ SPoC

    Merchants using SPoC (Software-based PIN entry on Commercial off-the-shelf) solutions, where a mobile device combined with a secure card reader replaces a traditional terminal.

    SAQ D

    Merchants and service providers who do not qualify for any other SAQ. The full questionnaire, all 12 Requirements, all applicable controls. Two flavors: SAQ D-Merchant and SAQ D-Service Provider.

    When You Need a QSA, Not an SAQ

    Merchants processing more than 6 million Visa or Mastercard transactions per year (Level 1) cannot self-assess. They must undergo an annual on-site assessment by a Qualified Security Assessor that produces a Report on Compliance and an Attestation of Compliance. We do not write ROCs; we run the readiness program that prepares your environment for the QSA, and we coordinate with QSA partners through our network when the engagement crosses that line.



    Effective March 31, 2025

    Six v4.0.1 Future-Dated Requirements Now in Force

    PCI DSS v4.0 introduced 64 new requirements; 51 of those were future-dated to March 31, 2025. They are now in force. Most of our incoming engagements have one or more of these gaps. Each one is concrete, evidence-driven, and the auditor will look for it line-by-line.

    Req 8.4.2

    MFA for All CDE Access

    Multi-factor authentication is now required for every access into the cardholder data environment, not only remote access. Includes service accounts where feasible and the documented risk position where not.

    Req 3.5.1.2

    No More Disk-Level Encryption-at-Rest

    Disk-level encryption no longer satisfies the encryption-at-rest requirement for stored PAN, except on removable electronic media. Database-level, column-level, or tokenized storage is now the expected pattern.

    Req 11.3.1.2

    Authenticated Internal Vulnerability Scans

    Internal vulnerability scans must now be authenticated, exposing patch state and configuration drift the unauthenticated scan would never see. Quarterly cadence with documented remediation timelines.

    Req 11.6.1

    Tamper Detection on Payment Pages

    A change-detection mechanism must alert on unauthorized modification of HTTP headers and the contents of payment pages received by the consumer browser. Direct response to Magecart-style web skimming attacks.

    Req 12.3.3

    Annual Cryptography Review

    Cryptographic suites and protocols must be reviewed annually with active monitoring of industry trends. The standard now expects an explicit deprecation roadmap as algorithms age out.

    Multiple Reqs

    Targeted Risk Analyses Replace “If Applicable”

    Several controls that previously read “periodically” or “as appropriate” now require a written Targeted Risk Analysis that defines the cadence and the rationale. The Customized Approach option formalizes deviations.



    Framework Crosswalk

    Reuse PCI Controls Across the Frameworks Your Auditors Cite

    PCI DSS shares meaningful control overlap with the frameworks you are likely already chasing. We design engagements so every control implementation produces evidence usable across multiple audits, not just the SAQ.

    Federal Catalog

    NIST SP 800-53 Rev. 5

    Roughly 70% control overlap with PCI DSS. Access Control, Audit and Accountability, Configuration Management, and System and Communications Protection families map directly to PCI Requirements 1, 2, 7, 8, and 10.

    Risk Framework

    NIST CSF 2.0

    PCI DSS controls populate the Identify, Protect, Detect, and Respond functions cleanly. The new Govern function maps to PCI Requirement 12 (information security policy and program management).

    International

    ISO/IEC 27001:2022

    The 93 Annex A controls in ISO 27001:2022 cover most PCI DSS Requirements at the policy and process layer. Organizations chasing both can collapse the policy library to a single mapped set.

    SaaS Audit

    SOC 2 Trust Services

    PCI DSS evidence largely satisfies the Security and Confidentiality criteria. The CC6 logical access, CC7 system operations, and CC8 change management series reuse PCI controls almost verbatim.

    Healthcare

    HIPAA Security Rule

    For healthcare merchants accepting card payments, the access control, audit, transmission security, and integrity safeguards in 45 CFR 164.312 align directly with PCI Requirements 7, 8, 10, and 11.

    Financial Services

    NY DFS 23 NYCRR 500

    For NY-licensed financial institutions, the cybersecurity program (500.2), access privileges (500.7), and incident response (500.16) sections reuse PCI control evidence directly. Annual certification dovetails with PCI’s evidence cycle.



    Engagement Deliverables

    What’s Included in Every Engagement

    • Stakeholder scoping interviews across Finance, IT, Operations, HR, Legal, and the executive sponsor.
    • Cardholder data environment scoping with payment flow diagrams per channel and a connected-system inventory.
    • Right-sized SAQ qualifying analysis per acceptance channel, with documented eligibility reasoning.
    • 12-Requirement gap report against PCI DSS v4.0.1 with every gap rated by impact, effort, and risk.
    • Policy library of approximately 15 policies mapped to all 12 Requirements, named owner per policy, annual review schedule.
    • Targeted Risk Analyses for any control where a flexibility or Customized Approach is taken.
    • Remediation plan with named owners, target dates, and weekly status checkpoints through closure.
    • SAQ and AOC support including question-by-question completion guidance and Attestation drafting.
    • ASV scan coordination through partner Approved Scanning Vendors with quarterly cadence and remediation tracking.
    • Acquirer evidence package ready for upload to your acquiring bank’s portal in the format they accept.
    • Quarterly review cadence on the ongoing program tier so the next attestation is a refresh, not a rebuild.


    Three Engagement Models

    Pick the Engagement That Matches Where You Are

    Every engagement is scoped to your acquirer, transaction volume, and payment channels. Pricing is contact-gated because the variables (CDE size, channel mix, regulatory regime, urgency) move every quote. Talk to us and we will scope a proposal.

    Tier 1 · 3–5 weeks

    SAQ Self-Service Prep

    A focused readiness sprint for SAQ A merchants on Shopify, Stripe Checkout, or other fully-outsourced e-commerce platforms.

    Includes
    • Channel scoping interview
    • SAQ A vs A-EP qualifying analysis
    • Lightweight 12-Req gap check
    • Core policy starter pack
    • SAQ completion walk-through
    • AOC drafting support
    For: SAQ A merchants whose acquirer is asking for an updated attestation and whose payment stack is genuinely fully outsourced.
    Most Common
    Tier 2 · 8–14 weeks

    Guided Readiness

    The full readiness program for SAQ A-EP, B-IP, C-VT, C, and SPoC merchants. Gap, remediate, attest, with policy library and quarterly ASV scans wired in.

    Includes
    • Everything in Tier 1, plus
    • Full CDE scoping with diagrams
    • 12-Requirement gap report
    • Full 15-policy library buildout
    • Targeted Risk Analyses where used
    • ASV scan coordination via partner
    • Acquirer evidence package
    For: SAQ A-EP, B-IP, C-VT, C, or SPoC merchants whose acceptance involves any electronic systems, integrated payment apps, or virtual terminals.
    Tier 3 · Quarterly retainer

    Assessment-Ready Program

    Continuous program management for SAQ D merchants, service providers, and Level 1 ROC merchants who need a QSA-led assessment. We run the program; the QSA partner runs the audit.

    Includes
    • Plan-of-record program management
    • Quarterly evidence-cycle reviews
    • Continuous policy + control updates
    • QSA-partner introduction for ROC
    • Annual audit-readiness rehearsal
    • Post-incident control hardening
    For: service providers, Level 1 merchants, regulated industries with recurring PCI plus SOC 2 plus HIPAA cycles, or any organization with a board-level payment-security mandate.


    Frequently Asked Questions

    PCI DSS Compliance: FAQs

    The questions finance leaders, IT directors, and compliance officers ask us most often before scoping a PCI engagement.

    What is PCI DSS v4.0.1 and when did the future-dated requirements take effect?

    PCI DSS v4.0.1 is the current version of the Payment Card Industry Data Security Standard, published by the PCI Security Standards Council in June 2024 as a limited revision to v4.0. v4.0.1 superseded v4.0 in December 2024. Of the 64 new requirements introduced in v4.0, 51 were future-dated and went into effect on March 31, 2025. They are now in force for every assessment cycle. The most-tested controls in scope are MFA for all CDE access (Req 8.4.2), authenticated internal vulnerability scans (Req 11.3.1.2), tamper detection on payment pages (Req 11.6.1), and the new annual cryptography review (Req 12.3.3).

    How do I know which SAQ type applies to my business?

    SAQ selection is driven by your acceptance channels and how cardholder data flows through your environment, not by your transaction volume alone. SAQ A is for fully-outsourced card-not-present merchants. SAQ A-EP applies when your e-commerce site partially controls the payment page, which is most custom checkouts even when Stripe or Authorize.Net handles the actual transaction. SAQ B-IP fits small retail with PTS-approved internet-connected terminals. SAQ C-VT and SAQ C cover virtual terminals and integrated payment applications. SAQ D is the catch-all when no narrower SAQ applies. The qualifying analysis we run in Phase 2 of an engagement produces the documented selection your acquirer will accept.

    Do I need a QSA, or can I self-assess with an SAQ?

    Most merchants below 6 million Visa or Mastercard transactions per year are eligible to self-assess with an SAQ. Above that threshold, the card brands typically classify a merchant as Level 1 and require an annual on-site assessment by a Qualified Security Assessor that produces a Report on Compliance. Service providers face their own thresholds (300,000 transactions per year for Level 1 service provider designation under Visa). On-Site Technology runs the readiness program; we do not write ROCs ourselves. When an engagement crosses into ROC scope we coordinate with QSA partners through our network, and the OST team continues to operate the program around the audit.

    What changed between PCI DSS v4.0 and v4.0.1?

    v4.0.1 is a limited revision, not a major release. It clarifies wording in roughly 60 places, refines the SAQ A eligibility criteria (specifically around scripts loaded into the payment page), updates several testing procedures to remove ambiguity, and corrects formatting errors. There are no new requirements in v4.0.1 beyond what v4.0 already published. The substantive deadline shift to March 31, 2025 for the 51 future-dated v4.0 controls is unchanged. Organizations already aligned to v4.0 do not need to re-engineer; they need to confirm the SAQ A clarifications do not change their SAQ qualification.

    How long does PCI DSS compliance preparation typically take?

    A SAQ Self-Service Prep engagement for a fully-outsourced e-commerce merchant typically runs 3 to 5 weeks. A Guided Readiness engagement for an SAQ A-EP, B-IP, C-VT, or C merchant lands in 8 to 14 weeks depending on the size of the gap and the speed of remediation. An Assessment-Ready Program for a service provider or Level 1 merchant operates as a quarterly retainer with the QSA-led audit timed to the merchant’s renewal cycle. The pace is usually set by remediation work the IT and engineering teams own, not by drafting time.

    How much do PCI DSS compliance services cost?

    Pricing is contact-gated because the variables move every quote: number of acceptance channels, transaction volume, current state of the policy library, current MFA and encryption posture, whether a QSA-led assessment is in scope, and the urgency. The Tier 1 SAQ Self-Service Prep is the typical entry point and the smallest commitment. The Tier 3 Assessment-Ready Program is the long-term engagement model. Talk to us through the form on this page and we will scope a proposal within one to two business days, typically.

    Is OST itself a QSA or an Approved Scanning Vendor?

    No. We are not listed by the PCI Security Standards Council as a QSA company or as an Approved Scanning Vendor, and we do not represent ourselves as either. OST is a readiness and program-management partner. We run the gap assessment, build the policy library, prepare the evidence, and walk you through SAQ completion. When a Report on Compliance or quarterly external scan is required, we coordinate with QSA companies and ASV partners through our network. That separation is intentional; it keeps our incentives aligned with getting your environment compliant rather than billing for the audit.

    Do you deliver PCI DSS services outside New Jersey?

    Yes. PCI DSS readiness work (CDE scoping, gap assessment, policy authoring, SAQ guidance, evidence preparation) is delivered remotely via Teams or Zoom and is available to merchants and service providers across the United States. We have deepest engineering capacity in Northern NJ, the NYC metro, Pennsylvania, and South Florida, which becomes useful when on-site network segmentation work or terminal-environment validation is needed in those regions. For purely remote engagements, location is not a constraint.

    What happens if I take credit cards but do not comply?

    PCI DSS is a contractual obligation between you and your acquiring bank, not a law in most jurisdictions. Acquirers can fine non-compliant merchants between $5,000 and $100,000 per month, raise transaction-processing rates, downgrade transaction interchange categories, or revoke the merchant account entirely. After a breach, the card brands can assess fines that have run into the millions, and your acquirer is contractually entitled to pass those through. The compliance program is also what most cyber insurers now require during renewal, so non-compliance cascades into premium increases and coverage limits.

    How does PCI DSS overlap with HIPAA, SOC 2, and NIST CSF?

    Significantly. PCI DSS controls populate the Identify, Protect, Detect, and Respond functions of NIST CSF 2.0 cleanly. The Security and Confidentiality Trust Services Criteria of SOC 2 reuse PCI control evidence almost verbatim in the CC6, CC7, and CC8 series. The HIPAA Security Rule access control, audit, and transmission security safeguards (45 CFR 164.312) align with PCI Requirements 7, 8, 10, and 11. We design engagements so the policy library and evidence package serve every audit cycle the merchant chases, not just the SAQ. Cybersecurity context lives on our Managed Cybersecurity Services page.

    What is the difference between SAQ A and SAQ A-EP for e-commerce?

    The hinge is whether your website page that hosts the payment form (or the iframe that contains it) controls any aspect of the cardholder data flow, including the JavaScript loaded onto that page. SAQ A applies when the payment page is fully delivered by a PCI DSS validated third party and your merchant pages contain no scripts that interact with the form. SAQ A-EP applies when your site partially controls the payment page, which most custom checkouts do, even ones that route to Stripe or Authorize.Net for the actual transaction. SAQ A is roughly 22 controls; SAQ A-EP is roughly 191 controls. Picking SAQ A when SAQ A-EP applies is one of the most common compliance failures and is the failure mode the v4.0.1 SAQ A clarifications were written to address.

    Can OST help with the quarterly ASV vulnerability scans?

    Yes, through partner ASVs. We coordinate the quarterly scans, collect the reports, drive remediation of any findings against documented timelines, and store the evidence in your audit-ready vault. We are not the ASV ourselves; the ASV is a PCI SSC-listed partner. The merchant of record contracts with the ASV; OST manages the program around the scan, including authenticated internal vulnerability scans (Req 11.3.1.2) which are typically run on tooling we operate.



    Related Services

    PCI DSS Sits Inside a Bigger Compliance Stack

    A defensible PCI program leans on cybersecurity controls, ongoing testing, training, and continuity planning that live in our adjacent practices.

    Managed CybersecurityThe security stack that satisfies PCI Requirements 5, 6, 10, and 11 day-to-day.Penetration TestingAnnual external and internal pen tests required by PCI Requirement 11.4.CMMC Compliance ReadinessFor DoD-adjacent merchants chasing PCI plus CMMC simultaneously.Cyber Awareness TrainingPCI Requirement 12.6 training program with simulated phishing and tracking.Managed IT ServicesDay-to-day operations underneath the systems your CDE depends on.Dark Web MonitoringEarly-warning detection for stolen cardholder credentials in breach corpora.


    Ready to Scope an Engagement?

    Tell Us About Your PCI Program

    Share your acquirer, transaction volume, and payment channels. We will reply with a scoped proposal for the engagement tier that fits. We typically respond within 4 business hours.

      Your Name (required)

      Your Email (required)

      Subject

      Your Message

      Your info stays with us. No resale.


      Bring Your PCI Program Out of the Static-PDF Era

      Find Out What Your SAQ Would Actually Survive

      Bring us a stale binder, a half-completed SAQ, or a blank page. We will scope a readiness sprint, a guided program, or a continuous engagement that matches where your business actually is.

      v4.0.1
      Standard Aligned
      5-Phase
      Methodology
      100%
      Remote Readiness
      QSA+ASV
      Partner Network