PCI DSS v4.0 Compliance That Protects Your Payment Environment — and Your Right to Process Cards
Norvex Assurance guides merchants, payment service providers, and fintech companies through PCI DSS v4.0 compliance — from Cardholder Data Environment scoping and gap analysis through SAQ preparation, ASV scanning coordination, and QSA assessment management.
PCI DSS v4.0 Compliance
End-to-end managed service
PCI DSS (Payment Card Industry Data Security Standard) is the mandatory security framework created by the PCI Security Standards Council — founded by Visa, Mastercard, American Express, Discover, and JCB — to protect cardholder data across the global payments ecosystem. It applies to any organization that stores, processes, or transmits payment card data, regardless of size or transaction volume. PCI DSS v4.0 became the sole active standard in March 2024, introducing 64 new requirements compared to v3.2.1. Non-compliance exposes your organization to card brand fines ($5,000–$100,000 per month), higher transaction fees, and — in the worst case — termination of your ability to accept payment cards entirely.
Not sure if you need PCI-DSS?
Talk to one of our experts — free, no obligation.
Most companies start with Type I to establish a baseline, then graduate to Type II within 6–12 months.
6M+ Transactions / Year
What it covers
The most rigorous PCI compliance tier. Requires an annual on-site audit by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV).
Timeline
6–14 weeks for QSA assessment readiness
Best for
Large merchants and service providers processing over 6 million Visa/Mastercard transactions annually, or any service provider that stores, processes, or transmits card data for others.
Business impact
Level 1 Report on Compliance (ROC) from a QSA provides the highest level of assurance. Required by major acquiring banks and payment brands for high-volume merchants.
1M – 6M Transactions / Year
What it covers
Annual self-assessment using the appropriate SAQ (Self-Assessment Questionnaire), plus quarterly ASV network scans. Some acquirers require an Attestation of Compliance (AoC) from a QSA.
Timeline
4–8 weeks for SAQ completion
Best for
Mid-size merchants processing 1–6 million transactions annually across all payment channels.
Business impact
SAQ completion demonstrates compliance to your acquiring bank. Choosing the correct SAQ type is critical — Norvex Assurance determines the right SAQ for your card data environment.
20K – 1M E-Commerce Transactions
What it covers
Annual SAQ completion and quarterly ASV scans. Specific to e-commerce merchants processing 20,000–1 million transactions annually.
Timeline
3–6 weeks for SAQ completion
Best for
E-commerce merchants with moderate transaction volumes that accept card payments through a payment gateway or third-party processor.
Business impact
Satisfies acquirer compliance requirements and demonstrates to customers that your payment environment meets industry security standards.
Under 20K E-Commerce / Under 1M Other
What it covers
Annual SAQ completion recommended by the payment brand, plus quarterly ASV scans as required by your acquirer.
Timeline
2–4 weeks for SAQ completion
Best for
Small merchants with low transaction volumes, typically using third-party payment processors. Many Level 4 merchants qualify for the simplest SAQ types (SAQ A or SAQ A-EP).
Business impact
Even small merchants face liability for card data breaches. PCI compliance protects you from card brand fines and demonstrates your payment security to customers.
Not sure which type you need?
Define your Cardholder Data Environment (CDE) — every system, component, and person that stores, processes, or transmits cardholder data. Proper scoping is the single most cost-effective PCI DSS investment: scope creep drives compliance cost.
Evaluate tokenisation, Point-to-Point Encryption (P2PE), and network segmentation opportunities to remove as many systems as possible from PCI scope — reducing your compliance obligation and ongoing cost.
Evaluate your environment against all applicable PCI DSS v4.0 requirements. Produce a risk-ranked gap report with clear remediation priorities and effort estimates.
Hands-on implementation of required technical and administrative controls — firewall configurations, encryption, access controls, logging, vulnerability management, and security awareness training.
Prepare your Self-Assessment Questionnaire (SAQ) or support your QSA in preparing the Report on Compliance (ROC). We ensure every response is accurate, evidence is complete, and no questions are left to interpretation.
Coordinate quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). Remediate scan findings and manage rescans to achieve clean scan results.
For Level 1 merchants and service providers requiring a QSA assessment, we prepare your environment, coach your team, and act as liaison throughout the on-site audit to minimize disruption and maximize results.
PCI non-compliance can result in loss of payment processing ability — the existential risk for any business that accepts cards.
PCI controls significantly reduce the probability of a payment card data breach — which averages $4.5M per incident and frequently ends businesses that experience them.
Strategic tokenisation, P2PE, and segmentation can dramatically reduce your PCI scope — translating directly to lower compliance cost and simpler ongoing management.
PCI DSS v4.0 introduces 64 new requirements. Norvex Assurance implements directly to v4.0 — no legacy gaps, no transition overhead.
Choosing the wrong SAQ understates your compliance obligations and creates liability. We determine the correct SAQ type for your exact card data environment.
PCI compliance signals to customers, acquirers, and business partners that your payment environment is secure and professionally managed.
Our fixed-scope engagement covers every deliverable needed to achieve and maintain your PCI-DSS certification — no hidden extras.
We believe you deserve to know what SOC 2 costs before you commit. All engagements begin with a free scoping call — no obligation.
Level 3–4
USD · 2–6 weeks
Ideal forSmall to mid-size merchants and SaaS companies using third-party payment processors that need SAQ completion and ASV scan management.
Level 2
USD · 4–10 weeks
Ideal forMid-size merchants (1–6M transactions) with more complex card data environments requiring detailed gap analysis, remediation support, and acquirer AoC submission.
Level 1
USD + QSA Fees · 6–14 weeks
Ideal forLarge merchants (6M+ transactions) and service providers that require an annual on-site QSA assessment and formal Report on Compliance.
Serving global clients in the US, India, UAE, Singapore, and beyond. All pricing quoted in USD.
"We were categorized as a Level 1 service provider and facing a QSA assessment with significant gaps. Norvex Assurance restructured our entire cardholder data environment, implemented segmentation that dramatically reduced our scope, and managed the QSA audit from start to finish. Clean ROC on the first attempt."
Head of Security
B2B Payments Platform — Series C
"We'd been completing the wrong SAQ type for two years without realizing it. Norvex Assurance re-scoped our CDE, identified that tokenisation made us SAQ A eligible, and cut our compliance scope by 80%. What had been a 200-question assessment became a 22-question one."
CTO
E-Commerce SaaS — Series A
"PCI DSS v4.0 introduced requirements we had no idea how to address. Norvex Assurance mapped every new requirement to our environment, built the controls, and got us compliant to v4.0 from day one — no legacy v3.2.1 gaps to carry forward."
VP of Compliance
FinTech Startup