The Situation
Following rapid growth that pushed their annual card transaction volume above 6 million transactions, the company was reclassified from PCI-DSS Level 4 to Level 1 — the most rigorous compliance tier, requiring an annual on-site assessment by a Qualified Security Assessor (QSA) rather than a self-assessment questionnaire (SAQ). The company had 90 days to achieve Level 1 compliance or risk suspension of their payment processing capabilities.
PCI-DSS Level 1: What Changed
The transition from Level 4 to Level 1 meant the company's self-certification was no longer sufficient. Level 1 requires a full on-site assessment by an approved QSA, quarterly external vulnerability scans by an Approved Scanning Vendor (ASV), and an annual penetration test. The scope of their Cardholder Data Environment (CDE) — the systems that store, process, or transmit cardholder data — had never been formally defined.
Scope Definition and Reduction
Our first engagement was a cardholder data flow workshop to formally define and then reduce the scope of the CDE. By implementing network segmentation and tokenization, we reduced the in-scope system count from 340 systems to 47 — dramatically reducing the cost and complexity of the annual QSA assessment. Scope reduction is consistently the highest-ROI activity in PCI compliance programs.
Technical Remediation
Key technical controls implemented to achieve Level 1 compliance:
- Network segmentation isolating CDE from all other network zones with monitored firewall rules
- Tokenization of all cardholder data — raw PAN data replaced with tokens at point of capture, eliminating storage of raw card numbers
- Point-to-point encryption (P2PE) implemented for in-person payment channels
- Web application firewall (WAF) deployed in front of payment pages
- File integrity monitoring (FIM) deployed on all CDE servers
- Quarterly ASV vulnerability scans initiated with immediate remediation of all findings
- Annual penetration test conducted with full CDE scope
- Change management and privileged access management processes formalized
QSA Assessment Outcome
The Level 1 on-site QSA assessment was completed with zero critical findings — every required control was in place and operating effectively. The QSA noted that the scope reduction work and evidence documentation were among the most thorough they had reviewed. The company received their Attestation of Compliance (AOC) and Report on Compliance (ROC) on schedule.
Ongoing Compliance Program
PCI-DSS Level 1 compliance is not a one-time achievement — it requires continuous maintenance, quarterly scans, annual assessments, and a rigorous change management process. We provide ongoing compliance support including quarterly scan management, annual penetration testing, change advisory reviews for CDE-impacting changes, and preparation for each annual QSA assessment. The company has maintained Level 1 compliance for two consecutive years with zero findings.