Question 1

Why work with you on architecture if you also do the audit?

Accepted Answer

Because we will accept what we recommend. Many merchants discover at audit time that their architecture relies on assumptions a QSA does not accept — segmentation that does not segment, tokenisation that does not remove scope, P2PE that is not implemented end-to-end. Doing the architecture work with the firm that will assess you closes that loop.

Question 2

What is P2PE and why does it matter?

Accepted Answer

Point-to-Point Encryption is a PCI SSC programme: a validated solution encrypts cardholder data at the point of capture and decrypts it only at a secure environment outside the merchant. If you use a PCI SSC-listed P2PE solution end-to-end, the systems handling encrypted card data sit out of scope for PCI DSS, which dramatically reduces audit scope. Eligibility for SAQ P2PE — the shortest SAQ — is the practical reward.

Question 3

P2PE v3.1 vs v3.2?

Accepted Answer

v3.2 was published in June 2025 and is the current version. v3.1 sunsets after 31 March 2026 — submissions accepted through end of 2025, quality review process complete by end of March 2026. We design and recommend against v3.2 from the outset rather than have customers re-validate later.

Question 4

What is tokenisation and how is it different from encryption?

Accepted Answer

Tokenisation replaces a primary account number with a non-sensitive token that has no mathematical relationship to the original PAN. Encryption transforms the PAN with a key — given the key, the original is recoverable. Tokenisation removes systems from scope (because the token is not cardholder data); encryption protects systems that remain in scope. Most modern payment architectures use both, in different places.

Question 5

Do you support EMV chip and contactless?

Accepted Answer

Yes. EMV Chip and EMV Contactless interoperability is core to in-person acceptance design. We work to EMVCo specifications for chip, contactless, and contactless kernel testing, and we map EMV deployment choices into the PCI DSS scoping decision. EMV does not by itself reduce PCI scope, but it interacts with P2PE and tokenisation in ways that materially affect scope.

Question 6

How does this differ from a full PCI DSS audit?

Accepted Answer

The audit (ROC or SAQ) measures conformance against the standard. Architecture work designs the systems being audited. Many customers do both with us — architecture first, then audit; or audit first, then architecture remediation against the findings. The two services are deliberately decoupled so you can buy them separately.

Question 7

Will you recommend specific vendors?

Accepted Answer

Yes during scoping, no on the page. Vendor recommendations are environment-driven — your card brand, your acquirer, your acceptance channels, your transaction volume. We work with the major P2PE solution providers and tokenisation vendors and we will recommend a fit when we have the context. We are not paid by any vendor to direct you somewhere.

Question 8

Do you cover online and in-person payments?

Accepted Answer

Yes. Online (e-commerce) and in-person (card-present) acceptance have different scope-reduction patterns. Online benefits most from redirect/iframe patterns and tokenised gateways; in-person benefits most from PCI-listed P2PE solutions. The architecture work covers whichever channels are in scope — and most merchants today have both.

Question 9

How does this fit with the rest of PCI DSS compliance?

Accepted Answer

Architecture work is part of compliance, not all of it. Once the CDE scope and control architecture are right, you still need ASV scanning quarterly (PCI DSS 11.3.2), Penetration Testing annually (11.4), incident response plans (12.10), and security awareness training (12.6). All of these are sibling services — see the related-services list.

Question 10

How long does this kind of engagement take?

Accepted Answer

Scope-dependent. A single-channel SAQ-eligible merchant can complete architecture review and recommendations in a few weeks. A multi-channel Level 1 merchant with legacy systems and multiple acquirers will take longer — typically several months including remediation. We quote a fixed fee against the architecture review and recommendations stage; implementation support is scoped separately.

Build payment systems that pass PCI DSS 4.0.1.

What we mean by secure payment solutions

What we do

CDE scoping & reduction

P2PE solution selection

Encryption & key management

MFA on payment systems

How an engagement runs

Scoping call

CDE & data-flow review

Architecture recommendations

Implementation support

Pre-audit validation

Capability areas

Cardholder Data Environment scoping

Tokenisation strategy

P2PE solution selection (PCI-listed)

MFA on payment systems

Encryption & key management

Continuous transaction monitoring

Why 1 Sequence Cyber

Same QSAC that runs the audits

Standards-aligned, not opinion-led

Frequently asked questions

Ready to scope payment architecture work?