PCI DSS Consultation

Protect.

PCI DSS Compliance

Practical and Cost-Effective Compliance Packages from £1,800

Expert-led guidance for small and medium-sized merchants. Get your scope right, scan what matters, and sign off with confidence.

Compliance should feel achievable. We make PCI DSS simplepairing accredited expertise with a reassuring, stepbystep approach that fits your business and your budget. 

All prices exclude VAT

Request a Call

Why Teams Choose CyberLab

We go beyond basic scanning. Our tailored approach ensures that PCI DSS compliance becomes a strategic enabler by aligning security controls with your business objectives, reducing operational risk, and protecting revenue-critical systems from reputational and financial fallout.

Leverage Vendor Partnerships icon

Practical Expertise

Our consultants don't just audit your systems, we provide actionable guidance specific to your organisation.

Peace of Mind Icon

Predictable Effort

You'll know exactly what you're getting with fixed days and transparent Approved Scanning Vendor (ASV) pricing.

Aligned to your Programme

Works alongside Cyber Essentials and ISO 27001

In-House Testing Team

Where required, our certified experts deliver robust testing to meet PCI DSS requirements.
No outsourcing, no delays.

PCI DSS Packages

PCI Compliance Level 4

Fewer than 20,000 transactions per year
£ 1,800
  • Review of existing SAQ (Self-Assessment Questionnaire) and ASV (Approved Scanning Vendor) reports
  • Identification of cardholder data environment (CDE)
  • Consultancy around Self Assessment Questionnaire (SAQ)
  • Pre-Assessment Check
  • Annual ASV scan of all endpoints in scope
  • CyberLab report and Attestation of Compliance (AOC)

PCI Compliance Level 3

Between 20,000 and 1,000,000 transactions per year
£ 2,700
  • Review of existing SAQ (Self-Assessment Questionnaire) and ASV (Approved Scanning Vendor) reports
  • Identification of cardholder data environment (CDE)
  • Consultancy around Self Assessment Questionnaire (SAQ)
  • Pre-Assessment Check
  • Quarterly ASV scan of all endpoints in scope
  • CyberLab report and Attestation of Compliance (AOC)
Add ASV (Approved Scanning Vendor) Vulnerability Scan endpoints
5x ASV vulnerability scan endpoints£200
10x ASV vulnerability scan endpoints£400
25x ASV vulnerability scan endpoints£600
50x ASV vulnerability scan endpoints£1,200

🛈 What is this? Select how many end points are in-scope for vulnerability assessments

All prices exclude VAT

What You Get

Clarity on
Scope

We map your cardholder data environment (CDE) with precision – removing ambiguity and reducing audit risk.

Clean, Audit Ready Evidence​

Concise AOC reports align with your infrastructure, flag issues early, and ensure you’re ready for assessment.

Confidence in Your Process

We translate complex requirements into plain English that your team can understand and implement.

Advice You Can
Trust

Our trusted advisors understand your requirements and help guide the process.

Our Customers

Frequently Asked Questions

PCI DSS is the Payment Card Industry Data Security Standard is a global baseline of security requirements that helps any organisation that accepts, stores, or transmits payment card data protect that information from theft and fraud. It’s developed and maintained by the PCI Security Standards Council (PCI SSC), which is backed by the major card brands.  

Payment Card Industry Data Security Standard.

It’s a single, globally used standard with 12 core requirements (grouped into broader security goals) that cover how you design, run and evidence the security of any systems that touch cardholder data.  

Being PCI DSS compliant means you’ve implemented the applicable controls and validated them via a SelfAssessment Questionnaire (SAQ) or a full QSA assessment for the systems in scope, and you can evidence the results to your acquirer or the relevant brand.  

Version 3.2.1 was retired on 31 March 2024. Version 4.0/4.0.1 is now the active standard, and the v4 requirements became mandatory on 31 March 2025. 

PCI DSS v4.0 was published 31 March 2022 with a transition period. v3.2.1 remained valid until 31 March 2024; from 1 April 2024, v4.x is the only supported version, with futuredated controls enforced from 31 March 2025.  

There are 12 core requirements covering networks, data protection, vulnerability management, access control, monitoring/testing, and policy.  

Merchants are categorised into one of four PCI DSS compliance levels, determined by how many card transactions they handle each year. These levels are set by the PCI Security Standards Council (SSC), which brings together the major card brands such as Visa, Mastercard, American Express, JCB, and Discover. 

  • Level 1: Over 6 million transactions annually 
  • Level 2: Between 1 million and 6 million transactions per year 
  • Level 3: Between 20,000 and 1 million transactions per year 
  • Level 4: Fewer than 20,000 transactions per year 

Key updates include: broader multifactor authentication (MFA) expectations across access into the CDE; modernised terminology (e.g., network security controls); a customised approach option for meeting objectives; and stronger ecommerce clientside controls (Req. 6.4.3 & 11.6.1) to manage and monitor paymentpage scripts against eskimming.  

1) Scope correctly – identify your cardholder data environment (CDE) and anything that can impact it.  

2) Map to the right SELFASSESSMENT QUESTIONNAIRE (SAQ)  (or ROC) and implement the relevant parts of the 12 requirements.  

3) Validate (SAQ/QSA ROC) and maintain evidence with ongoing activities like ASV scans and testing.  

4) Repeat annually and embed controls into businessasusual.  

Not statute law but it’s a contractual requirement from the card brands/acquirers, and noncompliance can affect your ability to take card payments and may trigger fines or increased fees. You still have separate legal duties (e.g., under UK GDPR) for personal data. 

Yes. The PCI SSC develops standards used by payment stakeholders worldwide; PCI DSS is described by the Council and national bodies like BSI as the global standard for securing payment card data.  

The Cardholder Data Environment (CDE)  is everythingpeople, processes and technology that stores, processes, or transmits  cardholder data or sensitive authentication data (and systems that can impact its security). Getting CDE scope right is critical because PCI DSS applies fully inside that boundary.  

To provide a baseline of technical and operational controls that protect account data across the global payment’s ecosystem. 

It reduces the likelihood and impact of payment data breaches, protects customers, sustains trust, and keeps your organisation eligible to accept cards while aligning with good security hygiene you can reuse across other frameworks.  

Speak With an Expert

Enter your details and one of our specialists will be in touch.

Whether you’re looking to implement basic cyber security best practice, improve your existing defences, or introduce a new system or solution, our team of expert consultants, engineers, and ethical hackers are here to help.

Our team specialise in creating bespoke security solutions and testing packages to improve and maintain your security posture.

We are 100% vendor agnostic and will only ever recommend the best products and solutions for your requirements.