Service

PCI DSS 4.0 Snapshot

You take credit cards. You're supposed to be PCI compliant. But which SAQ do you even need? What's actually required for your setup? We figure it out and tell you where you stand.

10 business days
PCI DSS 4.0 aligned
QSA-ready documentation
Get Started — $2,490

This is for you if:

  • You process credit cards and need to figure out your PCI requirements
  • Your acquiring bank is asking about PCI compliance
  • You need to know what gaps you have before your next assessment
  • PCI DSS 4.0 came out and you're not sure what changed
8
SAQ types covered
10
Days delivery
4.0
PCI DSS aligned
100%
QSA-ready

What you get

SAQ Type Determination

Which SAQ you need (A, A-EP, B, B-IP, C, C-VT, D, P2PE) and why. No more guessing.

Card Data Flow Diagram

Visual map showing where card data enters, moves through, and leaves your environment.

PCI DSS 4.0 Gap Analysis

Your current state vs. requirements. What you have, what you're missing, what will fail an assessment.

Remediation Roadmap

Prioritized list of fixes. What to tackle first, what can wait, and estimated effort for each.

Sample Card Data Flow Diagram

Customer
Your System (CDE)
Payment Processor

We document every point where card data enters, moves, or leaves your environment

Confused about SAQ types?

There are 8 different SAQ types depending on how you handle card data. Pick the wrong one and you're either doing too much work or not enough. We figure out exactly which one applies to your setup.

SAQ A
Card-not-present, fully outsourced
SAQ A-EP
E-commerce with website redirect
SAQ B / B-IP
Imprint or standalone terminals
SAQ C / C-VT
Payment applications or virtual terminals
SAQ D
Everything else (merchants or service providers)
SAQ P2PE
Point-to-point encryption terminals

Common questions

We use Stripe/Square/etc. Do we still need PCI compliance?

Yes, but your scope is usually smaller. Using a payment processor reduces what you need to do, but doesn't eliminate it. We'll figure out exactly what applies to you.

What's the difference between PCI DSS 3.2.1 and 4.0?

PCI DSS 4.0 has new requirements and more flexibility in how you meet them. Some 4.0 requirements are mandatory now, others have a grace period until 2025. We'll tell you which is which.

Do we need a QSA after this?

Depends on your volume and how you process cards. Most companies self-assess with an SAQ. If you need a QSA, this package gets you ready for that conversation.

What if we're not compliant right now?

Most companies aren't fully compliant when they start. The point is to know the gaps so you can fix them. We won't judge—we'll just tell you what needs work.

Can you help with remediation too?

This package is assessment only. If you need help fixing things, email us after you see the results. We can quote follow-on work if it makes sense.

Know where you stand on PCI.

We figure out your SAQ type, map your card data flows, and show you every gap. 10 days, $2,490, clear answers.

Get Started