Get ready for PCI compliance with confidence

We help you assess your PCI DSS readiness, identify gaps in cardholder data protection, and prepare for validation against the applicable compliance level.

Talk to an expert

Payment Card Industry (PCI)

PCI services

PCI DSS v4.0.1 introduces updated requirements and enhanced validation methods that help organisations strengthen their data protection practices while improving reporting transparency.

The PCI Data Scurity Standard (PCI DSS) sets the minimum standards, but it can be hard to follow and report on. Bastion's Qualified Security Assesors (QSAs) help your business secure payment card data and meet your PCI DSS requirements in a simplified manner.
We have been a QSA (Qualified Security Assessor) company since 2017 (previously under Quantum) and a PCI 3D-Secure assessor since 2024.
We have 2 QSAs and 2 AQSAs as well as a PCI 3D-Secure assessor.

Service detail

PCI DSS V4.0.1

In March 2022, the PCI Security Standards Council released version 4.0 of the PCI Data Security Standard - now on v4.0.1, it represents the most significant update since its initial release in 2004.

What's new in PCI DSS v4.0.1

Key updates every business needs to understand

PCI DSS v4.0.1 introduces updated requirements and enhanced validation methods that help organisations strengthen their data protection practices while improving reporting transparency.

Brings major updates to how businesses validate and report on PCI DSS compliance.
Helps ensure data security controls stay effective as threats and technology evolve.
Introduces new requirements for ongoing assessments and stronger validation processes.
Supports flexible, risk-based security by allowing customised controls with clear outcomes.

Our delivery process

Our process

Bastion's PCI DSS v4.0 Gap Assessment follows a structured process to evaluate compliance with the PCI DSS v4.0. Through a kick off call, scope validation, onsite/remote validation and a comprehensive gap report writeup, you gain valuable insights into their compliance status and receive actionable recommendations to enhance your security controls. By leveraging this service you can demonstrate your commitment to maintaining a robust security posture and effectively safeguarding payment card data.

Scoping & planning

We start with a scoping call to understand your environment, determine which systems are in scope.

Evidence collection

We gather evidence through documentation review and remote interviews, validating the implementation

Findings & recommendations

You receive a written report highlighting compliance gaps, remediation guidance and a clear path to strengthen your PCI DSS posture.

Benefits

Why work with us

Whether you’re completing a full PCI DSS assessment or preparing for a Self-Assessment Questionnaire, Bastion brings expertise and practical support to help you navigate every stage of the process

Pre-audit support

We help identify gaps before the formal audit begins, reducing risk and minimising costly remediation. Our assessors work with you to review evidence.

Scoping and risk reduction

Our team will guide you through PCI scoping to define and limit the systems and environments in scope. We focus on accurate, risk-based scoping.

Support for SAQs

We assist merchants and service providers in selecting and completing the correct Self-Assessment Questionnaire (SAQ) and provide guidance.

What comes next

Expand your PCI capability

Achieving PCI DSS compliance is just one part of building a strong security posture. Bastion can support you beyond the assessment with expert guidance, practical remediation and ongoing assurance.

Remediate non-compliant controls and close evidence gaps
Implement sustainable security improvements aligned with PCI requirements
Plan for revalidation or annual reassessment with minimal disruption

Talk to an expert

Executive and Board Security Governance Training

We train executives and boards on their cybersecurity oversight role — focusing on risk framing, accountability, and key governance responsibilities.

Advanced OSINT Training Course

This hands-on course teaches advanced open-source intelligence techniques, tools, and tradecraft for investigations, threat profiling, and situational awareness

Frequently asked questions

From risk assessment to rapid response - we’re with you every step of the way.

What is PCI DSS and who needs to comply?

PCI DSS (Payment Card Industry Data Security Standard) is a global framework designed to protect cardholder data. Any organisation that stores, processes or transmits payment card information is required to comply with PCI DSS.

What are the new requirements in PCI DSS v4.0?

PCI DSS v4.0 introduces new validation methods, more flexible requirements, and greater emphasis on continuous security. Key changes include targeted risk analysis, expanded multi-factor authentication, and enhanced password and access controls.

How do I know if my business needs a Self-Assessment Questionnaire (SAQ) or a full QSA audit?

It depends on how your organisation processes card payments. Smaller or lower-risk merchants may qualify for an SAQ, while larger or more complex environments typically require a Qualified Security Assessor (QSA) to perform a full audit.

What happens if we fail a PCI DSS assessment?

Failing an assessment doesn’t automatically mean penalties, but it does expose your organisation to risk and potential non-compliance consequences. We’ll work with you to understand the gaps and develop a remediation plan to get you back on track.

How long does a PCI DSS assessment take?

The timeline depends on the size and complexity of your environment. A straightforward SAQ can take a few days, while a full QSA-led assessment may take several weeks from scoping through to reporting.