Readiness Process

Sprint Timeline

The engagement follows structured phases, each building on the outputs of the previous one.

1

Intake

2–6 days
  • NDA & stakeholder map
  • Document request
  • Scoping interviews
  • System boundary draft
2

Assessment

9 days
  • TSC selection
  • Type 1/Type 2 recommendation
  • Control walkthroughs
  • Evidence sampling
3

Outputs

9 days
  • Controls matrix & gap register
  • Policy/document backlog
  • Evidence calendar
  • Executive readout & roadmap
4

Follow-on

Variable
  • Remediation implementation
  • Type 2 observation period

Phase Details

1. Intake & Scoping Week 1

We start by understanding your payment processing environment and current compliance posture.

  • CDE scoping and data flow analysis — identify all systems, networks, and processes that store, process, or transmit cardholder data
  • SAQ vs. ROC determination — determine the appropriate validation type based on merchant level and transaction volume
  • Network segmentation review — evaluate existing segmentation to define CDE boundaries
  • Current control inventory — document existing security controls and compliance documentation

2. Assessment Week 2–3

We evaluate your current control posture against all 12 PCI DSS requirements.

  • 12-requirement gap analysis — systematic review of controls across all requirements and sub-requirements
  • Network architecture review — validate CDE isolation, firewall rules, and segmentation effectiveness
  • Access control and authentication audit — evaluate user identification, MFA implementation, and access restriction controls
  • Vulnerability management evaluation — assess patching cadence, ASV scan readiness, and penetration testing scope

3. Outputs Week 3–4

We deliver the artifacts that define your path to PCI DSS compliance.

  • Scoping document with CDE boundaries — documented cardholder data environment with system inventory and network diagrams
  • Gap register mapped to 12 requirements — every requirement mapped to current state, with gaps ranked by risk and remediation effort
  • SAQ/ROC preparation roadmap — pre-populated assessment template or evidence mapping for QSA fieldwork
  • Remediation prioritization matrix — prioritized plan to close gaps with owners, timelines, and resource requirements

4. Follow-on Ongoing

After the readiness sprint, maintaining compliance requires ongoing monitoring and validation.

  • ASV scan program — coordinate quarterly external vulnerability scans with an Approved Scanning Vendor
  • Penetration testing schedule — annual penetration testing coordination with scope aligned to CDE boundaries
  • Annual reassessment preparation — support annual PCI DSS revalidation and evidence collection

Sprint Deliverables

Every readiness sprint produces these minimum deliverables:

CDE scope document and data flow diagrams
SAQ type determination or ROC scoping
12-requirement gap analysis
Network segmentation assessment
Access control and MFA review
Vulnerability management evaluation
Evidence collection matrix
Remediation prioritization roadmap

Start Your Readiness Sprint

Most companies complete the readiness sprint in 3–4 weeks. The result is a clear, actionable plan to achieve PCI DSS v4.0.1 compliance.

Get in Touch