Service

PCI DSS 4.0 Snapshot

You take credit cards. You're supposed to be PCI compliant. But which SAQ do you even need? What's actually required for your setup? We figure it out and tell you where you stand.

10 business days
PCI DSS 4.0 aligned
QSA-ready documentation
Get Started — $2,490

This is for you if:

  • You process credit cards and need to figure out your PCI requirements
  • Your acquiring bank is asking about PCI compliance
  • You need to know what gaps you have before your next assessment
  • PCI DSS 4.0 came out and you're not sure what changed
8
SAQ types covered
10
Days delivery
4.0
PCI DSS aligned
100%
QSA-ready
Grand Teton

What you get

01

SAQ Type Determination

Which SAQ you need (A, A-EP, B, B-IP, C, C-VT, D, P2PE) and why. No more guessing. We analyze your payment flow and tell you exactly which questionnaire applies.

02

Card Data Flow Diagram

Visual map showing where card data enters, moves through, and leaves your environment. This is the foundation for understanding your scope and protecting cardholder data.

03

PCI DSS 4.0 Gap Analysis

Your current state vs. requirements. What you have, what you're missing, what will fail an assessment. Aligned to the latest 4.0 standard with all new requirements flagged.

04

Remediation Roadmap

Prioritized list of fixes. What to tackle first, what can wait, and estimated effort for each. Includes both immediate requirements and those with grace periods.

05

Scope Reduction Recommendations

Ways to minimize your cardholder data environment. Less scope means less work, less cost, and less risk. We show you where you can reduce exposure.

06

QSA Prep Documentation

If you need a QSA, this gets you ready. Documented scope, control inventory, and gap status so you can get accurate quotes and avoid surprises.

The process

8 steps from intake to complete PCI DSS 4.0 assessment.

1

Submit intake

Online form

2

Payment flow review

How you process

3

SAQ determination

Right questionnaire

4

CDE mapping

Data flow diagram

5

Control assessment

4.0 requirements

6

Gap analysis

What's missing

7

Scope reduction

Recommendations

8

Delivery

Full report

Mount Saint Elias
Mount Saint Elias
Scope

What's included

Included
  • SAQ type determination
  • Card data flow diagram
  • PCI DSS 4.0 gap analysis
  • Scope reduction recommendations
  • Remediation roadmap
Also
  • QSA prep documentation
  • Future-dated requirements flagged
  • Control inventory checklist
  • 30-day email support

Important

This engagement constitutes a gap assessment and does not include completion of a Self-Assessment Questionnaire (SAQ). This assessment evaluates your current compliance posture to facilitate confident SAQ completion or preparation for engagement with a Qualified Security Assessor (QSA).

SAQ types explained

There are 8 different SAQ types depending on how you handle card data. Pick the wrong one and you're either doing too much work or not enough. We figure out exactly which one applies to your setup.

SAQ ASmallest

Card-not-present, fully outsourced

SAQ A-EPSmall

E-commerce with website redirect

SAQ BSmall

Imprint machines only

SAQ B-IPSmall

Standalone IP terminals

SAQ CMedium

Payment application systems

SAQ C-VTSmall

Virtual terminal only

SAQ P2PESmall

P2PE hardware terminals

SAQ DFull

All others (merchant/SP)

Before vs After

Without assessment

Guessing which SAQ to use

Card data flows unknown

4.0 changes unclear

Scope larger than needed

Assessment surprises

With PCI Snapshot

Definitive SAQ type

Complete data flow diagram

4.0 requirements mapped

Scope reduction identified

No surprises at assessment

Result

PCI clarity in 10 days

Common questions

We use Stripe/Square/etc. Do we still need PCI compliance?

Yes, but your scope is usually smaller. Using a payment processor reduces what you need to do, but doesn't eliminate it. We'll figure out exactly what applies to you based on how you integrate with them.

What's the difference between PCI DSS 3.2.1 and 4.0?

PCI DSS 4.0 has new requirements and more flexibility in how you meet them. Some 4.0 requirements are mandatory now, others have a grace period until March 2025. We assess against 4.0 and tell you which requirements are immediate vs future-dated.

Do we need a QSA after this?

Depends on your volume and how you process cards. Most companies self-assess with an SAQ. Level 1 merchants and service providers typically need a QSA. If you need one, this package gets you ready for that conversation.

What if we're not compliant right now?

Most companies aren't fully compliant when they start. The point is to know the gaps so you can fix them. We won't judge—we'll just tell you what needs work and help you prioritize.

Can you help with remediation too?

This package is assessment only. If you need help fixing things, email us after you see the results. We can quote follow-on work if it makes sense.

How do I know which SAQ I need?

It depends on how you accept cards and where cardholder data touches your systems. We analyze your payment flow and give you a definitive answer. No more guessing or hoping you picked the right one.

Know where you stand on PCI.

We figure out your SAQ type, map your card data flows, and show you every gap. 10 days, $2,490, clear answers.

Get Started