Loading
Infraspine delivers PCI DSS v4.0 readiness assessments, gap analysis, and hands-on compliance consulting for organisations that store, process, or transmit cardholder data. From CDE scoping and network segmentation reviews through to SAQ completion and ROC preparation, our team provides QSA-qualified guidance at every stage of the compliance journey.
From initial gap analysis and CDE scoping through to penetration testing, ASV scanning, and SAQ completion — Infraspine covers the full PCI DSS compliance lifecycle.
Infraspine's PCI DSS gap analysis provides a structured evaluation of your current security controls against all 12 PCI DSS v4.0 requirement domains. Each requirement is assessed for compliance status — Compliant, Partially Compliant, or Non-Compliant — with detailed evidence notes explaining the basis for each finding. The gap analysis identifies exactly what remediation work is needed before a formal PCI DSS assessment, allowing you to prioritise effort and investment efficiently. Our gap analysis also includes a compensating controls review for requirements that cannot be met in the standard way due to technical or operational constraints, and documents the compensating control worksheet in the format required by PCI assessors. Findings are presented in a structured report with a prioritised remediation roadmap.
Accurate scoping of the Cardholder Data Environment (CDE) is one of the most important and most commonly mishandled aspects of PCI DSS compliance. The scope of your CDE determines how many systems, networks, and processes are subject to PCI requirements — and therefore the cost and complexity of compliance. Infraspine conducts a thorough data flow mapping exercise to identify every system, network, and process that stores, processes, or transmits cardholder data (CHD) and sensitive authentication data (SAD). We also identify connected-to and security-impacting systems that fall within scope even if they do not directly handle CHD. Accurate CDE scoping, with robust network segmentation to isolate the CDE from out-of-scope systems, is the foundation of a cost-effective PCI compliance programme.
Network segmentation is not required by PCI DSS, but without it the entire network falls within the scope of PCI requirements — dramatically increasing the cost and complexity of compliance. When segmentation is used to isolate the CDE, PCI DSS requires that the segmentation controls are verified to be effective. Infraspine reviews your network segmentation architecture and tests whether the CDE is truly isolated from out-of-scope systems and networks. We examine firewall rule sets, VLAN configurations, ACLs, and network monitoring controls to verify that segmentation controls prevent all traffic between the CDE and out-of-scope systems other than explicitly authorised and required communications. Segmentation testing findings are documented in a format suitable for review by your QSA and included in the assessment evidence pack.
PCI DSS Requirement 11 mandates quarterly external vulnerability scanning by an Approved Scanning Vendor (ASV) and internal vulnerability scanning. External ASV scanning must be conducted by a PCI SSC-approved scanning vendor and produce a clean scan report — meaning all vulnerabilities with a CVSS score of 4.0 or above must be remediated or disputed before the scan is considered passing. Infraspine coordinates ASV scanning for your external-facing CDE systems, manages the dispute process for false positives, and ensures your quarterly scan programme meets PCI DSS requirements. We also conduct and document internal vulnerability scanning of all CDE systems, providing a risk-rated findings report and tracking remediation through to re-scan confirmation. Scan reports are formatted for inclusion in your SAQ or ROC documentation.
PCI DSS Requirement 11.4 mandates annual penetration testing of the CDE — both external and internal — and testing of network segmentation controls. PCI penetration testing has specific methodology requirements that differ from general VAPT engagements: the scope must cover the entire CDE perimeter, testing must follow an industry-accepted methodology such as OWASP or PTES, and the methodology, scope, and results must be documented in a format suitable for QSA review. Infraspine conducts PCI-compliant penetration testing engagements with full documentation of the testing methodology, scope definition, exploited vulnerabilities, and remediation recommendations. We also test segmentation controls to confirm that the CDE is isolated as claimed. All findings are reported in a PCI DSS-compliant format for direct inclusion in assessment documentation.
The Self-Assessment Questionnaire (SAQ) is the primary compliance validation tool for most organisations — there are eight different SAQ types depending on how your organisation processes card payments, and selecting the correct SAQ type is itself a compliance decision. The Report on Compliance (ROC) is required for Level 1 merchants and service providers and must be completed by a qualified QSA. Infraspine supports both SAQ and ROC completion processes. For SAQs, we identify the correct SAQ type, gather and organise evidence for each applicable requirement, and complete the SAQ with you — ensuring every response is accurately documented and supported by audit-ready evidence. For ROC engagements, we prepare your evidence pack and coordinate with your QSA, reducing assessment time and minimising the risk of findings that delay compliance sign-off.
Common questions from organisations beginning or renewing their PCI DSS compliance programme.
Book a free scoping call with Infraspine. We will define your CDE scope, identify the correct SAQ type, and give you a clear compliance roadmap — no commitment required.