Pass your PCI DSS audit. Fixed fee. UK QSAs.
UK Qualified Security Assessor Company. Scoping calls are free. Fees are fixed before we start. We tell you in plain English what’s missing and what to fix.
What is PCI DSS?
The Payment Card Industry Data Security Standard is the set of security requirements that any organisation handling payment-card data has to meet. It is published by the PCI Security Standards Council — a body sponsored by the major card brands: Visa, Mastercard, American Express, Discover, JCB, and UnionPay.
It applies whenever you store, process, or transmit cardholder data — whether you are a merchant taking payments, an acquirer processing them, or a service provider supporting either. The current version is PCI DSS 4.0.1, published in June 2024.
Key facts
- Current version
- 4.0.1
- Requirements
- 12
- Control objectives
- 6
- Merchant levels
- 4
What we do
Four engagement types covering the full PCI DSS lifecycle — from first gap review to ongoing assessor support.
QSA-led ROC assessments
Full Report on Compliance for Level 1 merchants and service providers, with formal Attestation of Compliance signed off by our QSAC.
SAQ guidance and remediation
Self-Assessment Questionnaire support for Level 2–4 merchants — scoping, control-gap fixes, evidence handling, and submission.
Gap assessments and roadmaps
Pre-audit readiness review against the 12 requirements, with a phased remediation plan tied to your business calendar.
Ongoing compliance support
Year-round QSAC support between audits, on retainer or by engagement — change reviews, evidence management, and assessor availability when you need it.
PCI DSS merchant levels
Your acquirer determines which level applies. Visa and Mastercard publish slightly different thresholds; the figures below are typical.
Over 6 million card transactions per year, or any merchant the brands designate Level 1 after a breach.
Validation: On-site QSA assessment, ROC, AOC, quarterly ASV scans.
1 million to 6 million transactions per year.
Validation: SAQ + AOC, quarterly ASV scans.
20,000 to 1 million e-commerce transactions per year.
Validation: SAQ + AOC, quarterly ASV scans.
Fewer than 20,000 e-commerce transactions or fewer than 1 million total transactions per year.
Validation: SAQ + AOC; quarterly ASV scans recommended.
How an audit runs
The same five-stage process whether you need a ROC, an SAQ, or both.
- 1
Scoping call
30 minutes, freeWe map the cardholder data environment with you and confirm whether you need a ROC, an SAQ, or both. No commitment to proceed.
- 2
Gap assessment
1–2 weeksWe test your current controls against the 12 requirements and produce a remediation plan with priorities and effort estimates.
- 3
Remediation support
VariableWe work alongside your team on the fixes — no throw-it-over-the-wall handover. You set the pace.
- 4
On-site assessment
1–2 weeksOur QSA validates each control, gathers evidence, and writes the Report on Compliance. Remote where appropriate.
- 5
ROC and AOC delivery
1–2 weeksFormal Report on Compliance and Attestation of Compliance, signed and issued by our QSAC. Submitted to your acquirer or card brand.
Self-Assessment Questionnaires
If you are not Level 1, you complete an SAQ instead of a full ROC. The right SAQ depends on how cardholder data flows through your business.
Why 1 Sequence Cyber
PCI SSC-listed QSAC
Listed on the PCI Security Standards Council website as a Qualified Security Assessor Company. Our assessments are recognised by all major card brands.
CREST DPT alignment
Penetration Testing aligned to the CREST Defensible Penetration Test specification — directly relevant to PCI DSS Requirement 11.4 testing.
Ready to start your PCI DSS audit?
Tell us your acquirer level and your last assessment date. We’ll come back with a fixed-fee proposal within 48 hours.
Back to all services.