CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
PCI Security Standards Council · v4.0 Mandatory

PCI-DSS v4.0 Compliance

PCI-DSS v4.0 readiness, internal audit and QSA coordination.

Full PCI-DSS v4.0 readiness for merchants, processors, issuers, acquirers and service providers. Macksofy delivers ROC / SAQ readiness, network segmentation validation, ASV scanning and QSA coordination — all under one engagement.

Request AuditTalk to a consultant
Download sample audit report
CERT-In format · anonymised
Aligned to
  • PCI-DSS v4.0 (mandatory March 2025)
  • PCI Software Security Framework (SSF)
  • PCI Mobile Payment Acceptance Security
  • PCI 3DS Core Security Standard (where in scope)
Why this matters

Compliance is leverage, not paperwork.

PCI-DSS v4.0 became fully mandatory in March 2025 — with 64 new or revised requirements including continuous discovery of vulnerabilities, customised approach options and tighter authentication. Non-compliant merchants face fines from card brands ($5K–$100K+/month) and increased liability shift. Macksofy is the only Indian / UAE firm combining CERT-In empanelment with PCI-DSS depth across QSA-coordination, ASV scans and segmentation tests.

Applicability
  • Merchants — Levels 1–4 (transaction-volume tiers)
  • Acquirers + Issuing banks
  • Payment processors + gateways
  • Service providers (storage / processing / transmitting CHD)
  • Mobile wallet operators
Standards & frameworks

Aligned to the regulations that matter.

PCI-DSS v4.0 (mandatory March 2025)
PCI Software Security Framework (SSF)
PCI Mobile Payment Acceptance Security
PCI 3DS Core Security Standard (where in scope)
Methodology

How we run a PCI-DSS engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 / 5
20% complete

1 · Scope reduction + CDE definition

  • 01
    Cardholder Data Environment (CDE) inventory
  • 02
    Network segmentation review
  • 03
    Tokenisation + scope-reduction architecture
Deliverables

Everything you need to satisfy auditors.

  • PCI-DSS v4.0 gap analysis (per requirement)
  • Network segmentation diagram + validation
  • ASV scan reports (quarterly)
  • ROC / SAQ + AOC drafts
  • Targeted Risk Analysis (TRA) artefacts
  • QSA-handover pack + remediation closure
Recent engagements
Payment Aggregator (Level 1)

v3.2.1 → v4.0 transition + ROC

Outcome: Cleared QSA assessment first attempt; saved ~₹35L in penalty exposure during transition

Acquiring Bank (top-10)

Scope-reduction + tokenisation architecture

Outcome: PCI scope reduced ~70% of systems; annual recurring audit cost down 40%

At a glance

The shape of a PCI-DSS engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

0
Methodology phases
0
Documented activities
0
Auditor-ready deliverables
0 day
Day retest window
Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

18CONTROLS MAPPEDacross 6 pillars
Coverage breakdown
  • Scope reduction3 pts
  • Build & maintain secure systems3 pts
  • Protect account data3 pts
  • Vulnerability & access management3 pts
  • Monitor, test, respond3 pts
  • QSA audit pack3 pts
Pillar 01
Scope reduction

Most PCI cost overruns come from over-broad scope. We fix that first.

  • Cardholder-data discovery & flow mapping
  • Network-segmentation validation testing
  • Tokenisation / outsourcing reduction strategy
Pillar 02
Build & maintain secure systems

PCI DSS v4.0 requirements 1, 2, 6 — secure baselines + change control.

  • Firewall + segmentation rules walk-through
  • Hardened-baseline evidence per device class
  • Secure-SDLC artefacts (Req 6) for in-scope apps
Pillar 03
Protect account data

Encryption, key management and access — the heart of the standard.

  • Stored cardholder data: encryption + retention
  • Key-management lifecycle (Req 3.6)
  • Transmission encryption + cipher hygiene (Req 4)
Pillar 04
Vulnerability & access management

Reqs 5, 7, 8 — Defender, MFA, RBAC, anti-malware evidence.

  • Anti-malware coverage + tamper-protection
  • Role-based access + least-privilege evidence
  • MFA on all in-scope access (v4 enforcement)
Pillar 05
Monitor, test, respond

Reqs 10–12 — daily ops evidence that QSAs sample heavily.

  • Centralised logging + retention proof
  • Internal + external ASV scans, segmentation test
  • IR plan + breach-notification flow
Pillar 06
QSA audit pack

Everything the Qualified Security Assessor needs in one place.

  • Self-assessment questionnaire (SAQ) or RoC dry-run
  • Evidence catalogue keyed to each requirement
  • Compensating-controls worksheet where applicable
Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a PCI-DSS engagement. Click any station for detail in the methodology section above.

01
Week 1
Scope reduction + CDE definition
02
Week 2
Gap analysis vs v4.0
03
Week 3
Technical validation
04
Week 4
ROC / SAQ readiness
05
Week 5
QSA coordination
What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

Google
4.9 · 612 reviews
Trustpilot
4.8 · 412 reviews
LinkedIn
20K+ · followers
CERT-In Empanelled
Govt of India · MeitY
EC-Council ATC
Authorized Training
ISO 27001 Certified
Info Security Mgmt
We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.
AK
Aisha Khan
Information Security Manager · Listed Fintech · BKC, Mumbai
The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.
IK
Inspector K. Joshi
Cyber Cell · Maharashtra Police · Mumbai
Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.
VI
Vivek Iyer
DevSecOps Lead · Healthcare SaaS · Hyderabad
Read all 612 reviews on Google →
FAQ

Things compliance leads ask before signing.

We partner with leading QSAs for the formal Report on Compliance. Macksofy delivers readiness, internal audit, ASV + VAPT, segmentation testing and QSA coordination — usually saving 30–40% of QSA effort.
Other audit engagements

Cybersecurity Audit Services

An honest mirror to your security posture.

Learn more

Compliance & Regulatory Audits

Compliance, simplified.

Learn more

Cybersecurity Risk Assessment

Know what to fix first. With math.

Learn more
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.