Did your payment aggregator, acquiring bank, or enterprise client just ask for your PCI DSS Attestation of Compliance (AoC)? Visa, Mastercard, RuPay, and every other payment card network require it of every business that stores/processes/transmit payment card data. We assess your scope, identify your merchant level, implement the required controls, and prepare your SAQ or coordinate your QSA audit until your AoC is in hand
PCI DSS compliance is not a law. However, it is a contractual obligation enforced by almost every card network operating in India: RuPay, Visa, Mastercard, American Express, Diners, JCB, and others. Non-compliance has direct commercial and financial consequences
Every payment aggregator operating under RBI's Payment Aggregator framework like Razorpay, PayU, CCAvenue, Cashfree, and others - require an annual Attestation of Compliance (AoC) from their merchants as a condition of the merchant agreement. The RBI also mandates PCI DSS compliance in its guidelines for payment aggregators and payment gateways. If your AoC lapses, your payment aggregator is entitled to suspend your account
RBI's prepaid payment instrument licences, payment aggregator licences, and NBFC-P2P authorisations all have cybersecurity conditions that reference PCI DSS. Fintech companies in lending, wealth, insurance distribution, and digital payments are routinely asked for their PCI DSS status during partner due diligence, investor reviews, and RBI examinations. A missing or lapsed AoC becomes a regulatory finding
Enterprise procurement teams at large Indian companies and global clients with payment processing operations require PCI DSS compliance from every vendor that integrates with their payment systems, handles their billing data, or processes transactions on their behalf. This applies to SaaS platforms with billing modules, B2B marketplaces, and any software vendor whose product handles a buyer's payment environment, even indirectly
UAE payment processors, CBUAE-regulated entities, and international payment networks operating in the Gulf region require PCI DSS compliance from any merchant or technology vendor handling card transactions. For Indian companies with UAE operations or international payment processing, compliance must cover both environments. A single AoC does not always cover both. Scope definition is the critical first step
Card brand penalties for non-compliant merchants and service providers are commercially severe and separate from any data breach costs
Your obligations depend on your: transaction volume & card environment. Your merchant level determines whether you need a QSA audit or can self-assess. Your card processing environment determines which SAQ applies. Getting any of these wrong wastes time and leaves you exposed
Selecting the wrong SAQ type means submitting an AoC that does not actually cover your real scope. If a breach then occurs, card brands treat this as if you had no compliance at all
| SAQ Type | Who It Applies To | Controls Required | Common For |
|---|---|---|---|
| SAQ A | Card-not-present merchants who fully outsource card processing & functions to PCI DSS compliant third parties | Fewest; focus is on third-party management, website security | Pure payment-gateway redirect with no iframe/JavaScript integration |
| SAQ A-EP | E-commerce merchants with a website that partially outsources card processing but may affect security of the payment card data environment | More than SAQ A; includes JavaScript library security, web server controls | Merchants using embedded iframes or JavaScript payment widgets |
| SAQ B | Merchants using imprint machines or standalone dial-out terminals; no electronic storage of payment card data | Physical terminal security, no storage requirements | Retail merchants with standalone POS, limited e-commerce |
| SAQ C | Merchants with payment application systems connected to the internet; no electronic storage of payment card data | Network security, access controls, logging, vulnerability management | Software-integrated POS, restaurant POS, hospitality systems |
| SAQ D | All merchants and service providers not covered by SAQ A, A-EP, B, or C; the most comprehensive self-assessment | All 12 PCI DSS requirement domains (see below) | Service providers, payment facilitators, complex card environments |
PCI DSS v4.0 is organised across 12 requirement areas; scope determines which apply to individual merchants
Firewalls, network segmentation, and rules that restrict access to your payment card data environment from everything that doesn't need it
No default passwords or unnecessary services running on systems that handle card data. Every system configured to a known secure baseline
If you store card data, even temporarily, it must be encrypted, masked, or tokenised. The simplest compliance position is to store as little card data as possible
All payment card data transmitted over open, public networks must be encrypted using strong cryptography. TLS 1.2 minimum. No unencrypted transmission paths anywhere in scope
Anti-malware on all systems that could be exposed to malware + regular updates + logging of activity. Applies to systems that interact with payment card data directly or indirectly
All software in scope must be developed and maintained securely. Patch management + known vulnerability remediation. Secure coding practices for any custom code that handles card data
Only people who need access to payment card data to do their job should have it. Access based on least privilege. Documented and reviewed regularly
Unique user IDs for every person with system access. Strong authentication including MFA for all access into the payment card data environment and all remote access
Physical controls over any location where card data is stored, processed, or transmitted. Visitor logs, badge access, secure destruction of physical media containing card data
Comprehensive audit logs for all access to system components in scope. Log retention, log integrity, and regular log review. Anomaly detection and alerting
Quarterly vulnerability scans by an Approved Scanning Vendor (ASV). Annual penetration testing. File integrity monitoring. Wireless scanning where applicable
A documented and maintained information security policy covering all 12 requirements + regular review + employee awareness training. Third-party vendor agreements to have clauses related to PCI DSS requirements
The single most important step in PCI DSS. We define precisely what is in scope, which systems, networks, and processes handle payment card data. Then, we determine your merchant level and applicable SAQ type. Reducing scope BEFORE remediation begins saves significant time and effort
We assess your current environment against every requirement in your applicable SAQ or full PCI DSS framework. Every gap is documented with a severity rating, the specific PCI DSS requirement it violates, and the remediation required
We implement the technical and administrative controls required across all 12 requirement domains relevant to your scope. We implement firewall rules, configure access controls, enable logging, address vulnerability findings, and update documentation. Other advisors don't
For Levels 2-4: we complete the SAQ with you, verify every answer against your implemented controls, and prepare your Attestation of Compliance (AoC) for submission to your acquiring bank or payment aggregator. For Level 1: we prepare your environment for QSA assessment and coordinate the on-site audit process with the QSA firm
We coordinate submission of your AoC to your acquiring bank or payment aggregator. We then maintain your programme, tracking the annual SAQ cycle, coordinating quarterly ASV scans, and updating controls as PCI DSS requirements evolve over time
PCI DSS compliance is delivered as the Fintech Pack - added onto a base Starter or Leader subscription. You need both a foundation and the pack.
Third-party QSA fees for annual on-site assessment (Level 1 merchants only) are paid directly by you to the QSA firm. This fee is separate from Cyber Commandos fees. Merchants at Levels 2-4 using SAQ self-assessment do not have QSA fees. Quarterly ASV (Approved Scanning Vendor) scans are an additional cost if required for your level.
Share your contact and we will reach out within an hour
We will reach out within an hour. For a faster response, message us on WhatsApp right now
Message on WhatsApp NowOur team will reach out to you soon. For a faster response, book a call with us right now
Book a Mission Briefing CallPCI DSS Attestations of Compliance are issued by the merchant or service provider based on either a completed SAQ (Levels 2-4) or a Report on Compliance produced by an independent Qualified Security Assessor (Level 1). The QSA firm fee is separate from Cyber Commandos fees. Cyber Commandos manages the entire process and ensures your environment is ready, the card networks and your acquiring bank are the acceptance authority.
PCI DSS and ISO 27001 controls overlap - access management, logging, encryption, incident response, and vendor management appear in both standards. Our Leader plan builds the ISO 27001 framework as the security foundation, and the Fintech Pack layers the PCI DSS-specific requirements on top. This means that part of the PCI DSS control work is already completed before we begin PCI-specific remediation.
Start with the free 15-minute gap analysis. Receive your readiness report by email and we can take it from there
15 minutes · Results emailed instantly