Related posts
See all
Key Insights:
- Many organizations fall out of compliance between assessments, driving demand for support beyond annual validation.
- Continuous-compliance models improve evidence quality and cut remediation rework versus annual check-the-box cycles.
- Service provider assessments are expanding as v4.0 adds obligations, reshaping engagement scope for firms with third-party-heavy clients.
Payment Card Industry Data Security Standard (PCI DSS) engagements are becoming more complex and more frequent for audit and advisory firms. PCI DSS is the global security framework that governs how organizations protect payment card data: any entity that stores, processes, or transmits cardholder data must comply.
With PCI DSS v4.0 requirements now fully in effect, your clients need more than a checklist to stay compliant year-round. This article covers what PCI compliance actually requires, how to structure the engagement phases, and where technology can reduce the hours your team spends on evidence management and testing.
What Is PCI Compliance and Who Needs It?
PCI DSS applicability is broader than most clients expect, and the validation path that applies to each organization shapes everything from evidence depth to final deliverables. Two questions are worth settling before any other engagement work begins.
Confirm who's in scope and which validation path applies
PCI DSS applicability hinges on a single question: does the organization store, process, or transmit account data (cardholder data or sensitive authentication data), or do any of its system components connect to or could affect the security of the cardholder data environment (CDE)? The PCI Security Standards Council (PCI SSC) maintains the standard, and its reach extends well beyond direct payment processors.
Merchants are classified into transaction-volume-based levels by payment brands and acquirers, with validation requirements varying by program. Service providers face a separate set of obligations defined by both the PCI DSS standard and by card brand and acquirer programs. As an assessor, one of your first tasks on any engagement is confirming which validation path applies, because the answer drives everything from reporting deliverables to evidence depth. Getting the validation path right matters, but even organizations that complete a successful assessment often struggle with what comes next.
Why compliance rates remain low
The gap between "compliant at assessment time" and "compliant year-round" is significant. Many organizations that successfully validate still find it difficult to maintain full PCI DSS compliance at interim points between assessments; most treat it as a point-in-time event rather than an operating model.
For audit and advisory firms, that gap is both a challenge and an opportunity. Clients who struggle to maintain compliance between assessments need ongoing guidance, and firms that can deliver continuous advisory support build stickier client relationships and more predictable revenue.
The v4.0 transition is complete
PCI DSS v3.2.1 retired on March 31, 2024, and the 51 future-dated requirements that were best practice during the transition became mandatory on March 31, 2025. The transition is over. Every assessment now validates against the full v4.0 requirement set, and your clients should have at least one full year of operating history under the complete control set.
How to Become PCI Compliant: Four Phases You Should Follow
PCI SSC doesn't publish standardized engagement timelines, and duration varies with scope, complexity, sampling decisions, and evidence readiness. A common pattern across firms is to structure PCI compliance programs around four broad phases, regardless of organization size.
Phase 1: Define and document scope
Scoping errors cascade through every subsequent phase, so this step deserves deliberate attention. The goal is to identify all system components, people, processes, and data flows that store, process, or transmit account data, or that connect to or could affect the security of the CDE. Under v4.0, scope must be documented and confirmed at least annually, with service providers facing a more frequent confirmation cadence.
For clients with multi-channel operations, confirm whether transaction volumes must be aggregated across business units, channels, and processing relationships. That determination typically falls under payment brand and acquirer program rules, and getting it wrong means an assessment could miss entire environments.
Phase 2: Assess controls against requirements
The assessment maps your client's controls to PCI DSS's 12 principal requirements and their sub-requirements, and it's where the bulk of evidence collection, testing, and documentation happens. ISACA highlights how much cross-functional coordination payment-adjacent audits require, and v4.0's expanded documentation expectations only add to that workload.
Phase 3: Remediate identified gaps
Few organizations pass an initial assessment without gaps. Your advisory role here is translating technical deficiencies into prioritized action plans the client can actually execute. The most effective remediation plans tie each gap to a specific requirement, assign ownership, and set realistic timelines based on the client's technical capacity.
Phase 4: Complete validation and reporting
The final phase produces the deliverables: a Self-Assessment Questionnaire with Attestation of Compliance, or a Report on Compliance, depending on the client's validation path. The reporting format matters less than the underlying evidence quality, and assessors who maintained organized evidence throughout the engagement spend far fewer hours at this stage.
These four phases work best as a cycle, not a straight line. Clients who maintain controls year-round produce better evidence, require less remediation, and are far easier to assess.
What Are the 12 PCI DSS Requirements You Must Meet?
PCI DSS v4.0 retains the familiar 12-requirement structure, but testing approaches and evidence expectations have shifted in ways that affect how you plan each engagement.
How the 12 requirements map to control domains
The requirements group into logical control domains that most practitioners already navigate comfortably. Here's how they break down:
- Requirements 1–2: Network security controls and secure system configurations
- Requirements 3–4: Protection of stored account data and encryption during transmission
- Requirements 5–6: Malware protection and secure development practices
- Requirements 7–9: Access control: restricting access by business need-to-know (7), user authentication (8), and physical access controls (9)
- Requirements 10–11: Logging, monitoring, and regular security testing
- Requirement 12: Organizational policies and programs that support PCI DSS implementation across the cardholder data environment
The structure is familiar, but how you validate within it has changed significantly in v4.0.
What changed for assessors in v4.0
Three shifts matter most for your assessment workflow. PCI SSC's guidance notes 64 new requirements in v4.0, 51 of which became mandatory in March 2025:
- Customized approach: Clients can now meet requirement objectives through alternative controls, which gives them flexibility but puts the validation burden on you to document why those alternatives are sufficient, including a risk analysis and validation methodology.
- Targeted risk analysis: Replaces some prescriptive frequency requirements, meaning clients can justify longer intervals between certain activities if their risk analysis supports it, and you need to evaluate whether that analysis holds up.
- Expanded MFA scope: Now covers all non-console administrative access and all access into the CDE, not just remote access. That change affects evidence requests for many clients, particularly those with internal admin access to cardholder systems.
The net effect is more documentation per engagement and more judgment calls about evidence sufficiency: knowing when you have enough to reach a defensible conclusion without over-auditing every control.
How Advisory and Audit Teams Support PCI Compliance Programs
The assessor ecosystem runs on two distinct models, each with different independence expectations and program constraints.
Qualified Security Assessors (QSAs) vs. Internal Security Assessors (ISAs)
QSAs are independent organizations qualified by PCI SSC under its certification program to perform official PCI DSS assessments. ISAs are internal professionals who help their organizations understand PCI DSS and prepare for external assessments, but they can't replace a QSA where a brand or acquirer requires a Report on Compliance.
That distinction matters for how you staff and price engagements. QSA-led work carries the authority acquiring banks require; ISA support tends toward longer-term advisory relationships focused on readiness and remediation. Either way, the scope of PCI engagements is expanding beyond the client's own environment.
Third-party dependencies are reshaping engagement scope
Even when a client's own environment is well-controlled, third-party services like cloud platforms, payment integrators, and managed service providers can materially affect the cardholder data environment and the evidence you need to collect. PCI DSS v4.0 responds with expanded service provider obligations, including requirements that providers support compliance requests from their customers.
In practice, that means PCI engagements increasingly include service provider assessments alongside the primary merchant assessment, particularly in cloud environments where shared responsibility models make evidence and configuration documentation critical.
When to Use an Engagement Automation Platform for PCI Compliance Work
PCI compliance work tends to be evidence-heavy, and bottlenecks often show up in request tracking and testing. Engagement automation platforms can reduce manual coordination so your team can keep pace across concurrent assessments.
Where platforms reduce hours
PCI engagements generate significant documentation volume across 12 requirements and hundreds of sub-requirements. When your team manages multiple concurrent PCI assessments, the evidence collection, control testing, and reporting phases create bottlenecks that manual workflows struggle to absorb.
Platforms built for audit and advisory firms can reduce time spent on repetitive tasks while practitioners maintain review and final judgment on all outputs. Fieldguide is an end-to-end AI-native platform purpose-built for audit and advisory firms, with pre-built PCI DSS framework content and agentic AI that operates within practitioner workflows rather than as a standalone tool. Testing Agent automates controls testing workflows for risk advisory engagements like PCI, mapping evidence to control requirements and executing tests through a structured process with human checkpoints at each step. BerryDunn reported 30–50% efficiency gains and more than doubled engagement capacity after adopting Fieldguide.
The Testing Agent automates controls testing workflows for risk advisory engagements like PCI, mapping evidence to control requirements and executing tests through a structured process with human checkpoints at each step. BerryDunn reported 30–50% efficiency gains and more than doubled engagement capacity after adopting Fieldguide.
Centralized evidence management
Instead of tracking client uploads across email threads and shared drives, a centralized platform with a Client Hub, like Fieldguide, gives your team real-time visibility into what's been submitted, what's outstanding, and what needs follow-up. Fieldguide's Request Agent validates whether uploaded evidence is relevant, within the audit period, and aligned to selected samples, flagging issues before they stall testing. Request analysis at the point of upload means your team spends less time chasing down the wrong documents and more time on substantive review.
Build Your PCI Compliance Practice on Fieldguide
PCI DSS v4.0 raised the bar for documentation, validation, and evidence management on every engagement. Fieldguide helps your team keep pace without proportional increases in hours or headcount.
With pre-built PCI DSS frameworks, agentic controls testing, and centralized evidence management, your practitioners spend less time on administrative overhead and more time on the judgment work that clients value. Request a demo to see how firms are scaling their PCI practices with Fieldguide.
Amanda Waldmann
Increasing trust with AI for audit and advisory firms.
