PCI DSS Compliance Services

PwC can help you navigate your PCI DSS compliance requirements with a focus on pragmatic solutions. Our experience in delivering PCI compliance programmes for some of the leading global organisations offers you the perfect partner to help you assess, achieve and maintain PCI DSS compliance.

Why should my organisation take action now?

  • Card brands and acquiring banks are expecting more in the wake of major data breaches involving Cardholder Data (CHD). This is forcing many more merchants and service providers to gain PCI compliance
  • Increased customer and regulatory scrutiny particularly under the General Data Protection Regulation (GDPR). This increased focus is shining the spotlight not just on how certified you are but how well you consider, govern, manage and respond to cyber security incidents
  • An increasingly punitive regulatory fining regime is in play. The risk of large fines from the card brands and the Information Commissioners Office (ICO) as a result of a cardholder data breach has increased forcing much more consideration to be taken of posture and compliance

What challenges can we help your organisation to solve?

  • The Cardholder Data Environment (CDE) and scope for PCI DSS Compliance is unclear and difficult to articulate
  • The project in place to understand the organisation's current PCI DSS compliance position and to help achieve compliance is large and complex
  • There is a lack of understanding of how privacy and PCI programmes should converge to ensure Personally Identifiable Information (PII) is handled in line with regulatory requirements
  • There are management overheads and strategic organisational changes which are threatening PCI compliance. Are there correct governance controls in place to maintain PCI compliance?

How can PwC help?

  • Current State Analysis: Perform an assessment to identify, define and reduce the scope of PCI DSS compliance where applicable. Perform a gap analysis to understand PCI DSS control requirements and identify areas of compliance and non compliance
  • Remediation: Develop work-streams and support your internal teams with remediation activity to address identified scope enhancements and / or control gaps to satisfy PCI DSS requirements
  • Validate & Operate: Support you in confirming your compliance back to your acquiring bank or card brand and maintain it on an ongoing basis. This will include identification of appropriate confirmation mechanism (Report on Compliance or Self-Assessment) and supporting you through the formal compliance assessment activity e.g. QSA Assessment and helping you to embed PCI controls in your BAU processes and maintain compliance as a continuous state

Our Services

PCI Compliance Governance & Strategy

Maintaining PCI DSS compliance across multiple payment channels, subsidiaries and payment technologies can be complex and challenging. PwC can help your organisation to deal with the challenges of PCI governance and implementing programmes that ensure that compliance is maintained and monitored over time to avoid “compliance fatigue”. 

Key elements we can help your organisation with are:

  • PCI Governance Model
  • PCI Operating Model
  • Development of PCI Framework
  • Roles and Responsibilities Matrix

In addition, we can help you define your PCI strategy taking into consideration the wider change road map of your organisation to set you on the correct path to achieving and maintaining compliance long term.

View more

PCI DSS Scope Identification, Definition and Reduction

Using our systematic approach that put equal focus on People, Process and Technology we can help you understand your complete PCI DSS compliance landscape. We can rapidly deploy our global team of PCI DSS experts to quickly understand your country specific or global PCI DSS compliance landscape. This will help you  identify and enforce appropriate PCI DSS control requirements, and reduce risk. With this information we can also assist you in identifying scope reduction opportunities (related to both technologies and business processes) to reduce the cost, administrative overhead and overall risk associated with Cardholder Data.

View more

Payment Process and Cardholder Data Flow Mapping

Our PCI DSS specialists can help you in creating detailed Cardholder Data and Payment Process Flow Diagrams to provide you clarity with your “as-is” and “to-be” scope where needed. This is also one of the key requirements (PCI Requirements 1.1.3) for achieving and maintaining PCI DSS compliance.

View more

PCI DSS Readiness Assessment

Assess your PCI DSS compliance against the latest version of the PCI DSS standard and provide you will a detailed report on how you are meeting the requirements and recommendations on areas for improvement.  In addition, our report will provide you with clear roadmap for improvements required to meet all of the PCI requirements, in line with PCI DSS prioritised approach.

View more

Remediation Support

We can support any required remediation activity by collaborating with your internal teams as you work towards achieving your PCI DSS compliance. This will ensure that all remediation activity is carried out in line with PCI DSS requirements and will meet project deadlines.

View more

Managed PCI DSS Compliance Services

Our Managed PCI DSS compliance services allow you to focus on what matters. Our talent, technology and market insights can ensure that you continue to meet your PCI DSS compliance demands whilst achieving economies of scales.

View more

PCI DSS Compliance Programme Management

Perform end-to-end programme management in order for you to achieve PCI DSS compliance. This includes scope identification and reduction, a PCI gap assessment, remediation management, audit support advisory and transition of your compliance programme into BAU. We are with you every step of the way to give you the best chance of achieving compliance.

View more

Penetration Testing Services

Our CREST / CHECK qualified teams can provide vulnerability management and penetration testing services for you to meet a number of PCI DSS requirements. These are:

  • External Penetration Testing (Requirement 11.3.1) – External penetration test annually and after any major change to your network, applications or devices.
  • Internal Penetration Testing (Requirement 11.3.2) - Internal penetration test annually and on request after any major change to your network, applications or devices.
  • Internal / External Vulnerability Scans (Requirement 11.2) – Internal and External quarterly network vulnerability scans (non-ASV only) and after any major change to your network.
  • Segmentation Penetration Test (Requirement 11.3.4) – Annual penetration tests to test your segmentation controls and after any significant change to your environment.
  • Wireless Access Point Scan (Requirement 11.1) – Quarterly WAP scans to detect all WAPs connected to your network.

View more


How are we helping clients?

Large Airports Group

We supported one of the largest Airports Group in the UK in identifying their PCI DSS compliance scope, performing a PCI DSS gap assessment and creating a PCI DSS compliance roadmap. We also helped the client define their overall PCI DSS compliance strategy and governance framework to manage compliance on an ongoing basis.

Large Debt Purchasing Organisation

We performed a PCI DSS scope review and gap assessment exercise for a leading UK based Debt Purchasing organisation. Outputs from this work included detailed recommendations on re-scoping their PCI DSS environment including opportunities to reduce the scope of compliance by the use of technologies and process re-engineering. We also provided detailed tactical recommendations from the PCI DSS gap analysis to ensure all applicable PCI DSS control requirements are met in order to achieve compliance.

Leading UK Retail Bank

The client was concerned about the efficiency and progress of its existing PCI DSS compliance program and engaged PwC to assess the current state of compliance within the Bank, and to develop a refreshed roadmap. Our experienced PCI QSA team leveraged existing documentation and conducted a series of workshops to understand the PCI DSS scope of compliance, identified applicable PCI DSS controls and performed a gap assessment exercise. We provided the client with practical advice focused on risk reduction whilst ensuring that their business priorities were appropriately considered.

Why PwC?

  • We have supported our clients with their PCI compliance since 2004 and have become a QSA company in multiple regions globally
  • We have proven ability to drive strategic change and meet strict deadlines and deliver value to the business instead of just focusing on technical controls
  • We have access to large number of PCI DSS and cyber security specialists worldwide
  • We are identified as key players in the payment card scope reduction technology space through maintaining strategic relationships to help our clients with compliance scope reduction
  • We have a proven methodology and have successfully implemented holistic cardholder data security strategies for large, complex organisations from strategy through execution
  • We have the ability to provide full in depth operational effectiveness testing of PCI controls

Contact us

Colin Slater

Cyber Security Partner, PwC United Kingdom

Tel: +44 (0) 7711 589065

Ahsan Qureshi

Senior Manager - Cyber Security, PwC United Kingdom

Tel: +44 (0)7710 035613