You take cards.
You need PCI DSS.

If money moves through your checkout, PCI DSS is already your problem. It is the standard every business taking card payments is bound to, and most are quietly breaking it without realising.

We scope it honestly, fix what fails, and get you compliant without a rebuild. One senior PCI DSS consultant, start to finish.
40-day Compliant
Deadline Guaranteed
Scope Is Everything
No Needless Rebuilds
Whole-Estate Diagnosis
Senior-Led Execution

PCI DSS compliance is optional. In the way oxygen is.

PCI DSS is not a law. No statute will fine you for ignoring it. What happens instead is quieter and more expensive: your acquiring bank, the one that lets you take cards at all, can raise your fees, withhold your funds, or simply stop processing you. The card networks wrote the standard, the banks enforce it, and you agreed to every word in the contract you skimmed the day you set up payments.

Then there is the day it actually bites. A breach, a leak of card data, an acquirer audit triggered by exactly that. Suddenly the standard you had filed under paperwork is the difference between an awkward week and a business-ending one, because the penalties and the per-card liability do not much care that you meant to get round to it.

Here is the part the industry says less loudly. The cheapest route through PCI is not more security. It is less card data. Push the actual card numbers off your systems and onto someone built to hold them, and most of the standard simply stops applying to you. Done properly, compliance is mostly a scoping exercise with a clever answer, not a year of hardening you never needed.

What is PCI DSS?

PCI DSS, the Payment Card Industry Data Security Standard, is the set of security rules every business that takes card payments is required to follow. It is maintained by the PCI Security Standards Council, which the major card networks set up to write the standard they then oblige you to meet. It runs to twelve headline requirements, which sounds manageable right up until you notice the twelve unfold into several hundred individual controls underneath.

The aim is simpler than the document: keep cardholder data safe, and keep none of it you do not absolutely need. Hold up under the rules and you protect your customers, your acquirer relationship, and the slice of your revenue that depends on being allowed to take a card at all.

Which SAQ applies to me?

Most merchants never face a full external audit. What you face instead is a Self-Assessment Questionnaire, the SAQ, and there is more than one. Which version you complete depends entirely on how card data flows through your business, and that single fact decides whether PCI is a short afternoon or a long quarter.

At the friendly end, if your checkout hands the customer straight to a provider like Stripe or PayPal and never touches the card number itself, you qualify for the shortest questionnaire and the lightest burden. At the other end, if your own systems see, store or transmit card data, the questionnaire swells, the scans arrive, and the work multiplies. Most businesses are sitting somewhere they have never actually checked.

Choosing the right SAQ is not box-ticking, it is the entire game. Pick the wrong one and you either do far more work than you owe, or worse, certify to something that does not match how your business really runs. Working out exactly which one fits your payment flow is the first thing we do, before a single control is touched.

How long does compliance take?

Less time than the dread of it suggests. When your payment flow is already sensible and card data barely grazes your systems, the right SAQ can be scoped, evidenced and attested inside days. When card data is strewn across servers, spreadsheets and a CRM nobody audits, it takes longer, because the honest first move is usually to shrink that footprint before certifying it.

The standard itself is rarely the slow part. The slow part is finding where card data has quietly collected over the years, like dust nobody was asked to clear. Map that, and the rest moves at the speed of the actual work, not the speed of a programme padded to look thorough.
0
Typical Turnaround

What does PCI DSS cost?

It depends, and anyone quoting a flat figure before seeing your payment flow is guessing in public. Cost is governed by one thing above all others: how much card data your systems touch. Less data, less scope, less cost. More data, more scans, more controls, a longer invoice.

There are small fixed costs along the way, an external scan here, a fee there, depending on your level and your SAQ. The real variable is remediation, and remediation is exactly where a good scoping decision early saves you a fortune later. We price against your actual payment architecture rather than a packaged programme, and a surprising amount of the time the right answer makes you cheaper to secure, not dearer.

We will not be the lowest bid. We will be the one fixing the cause instead of billing the symptom, and the one most likely to make your next renewal trivial rather than traumatic.
0
For typical implementation

What the work actually involves.

01. Map the card-data flow

Find every place a card number is seen, sent or stored, including the places you had forgotten. You cannot secure or descope what you have not located, and almost everyone underestimates their own footprint.
Payment-flow mapping
Cardholder data discovery
Scope definition
SAQ & level selection
Network segmentation review

02. Shrink the scope

The cheapest control is the data you no longer hold. Wherever possible we move card data off your systems entirely, so most of the standard stops applying and renewals turn easy.
Tokenisation
Hosted fields (iframe)
Gateway redirect
P2PE
SAQ A eligibility

03. Secure what is left

For whatever card data genuinely has to stay in scope, the real controls go in. Not theatre. The unglamorous things that actually stop a skimmer.
CDE hardening
Enforced MFA
Least-privilege access
Logging & monitoring
Payment-page integrity

04. Evidence, scan and attest

Complete the right SAQ properly, pass the scans your level requires, and produce an Attestation of Compliance that matches reality rather than wishful thinking. For higher volumes, we handle the QSA-led route.
Correct SAQ
ASV scans passing
Penetration testing
Clean AOC
QSA liaison

Compliant on paper. Breached in practice.

Ask an AI to build your checkout and it will hand you something that works first time and looks thoroughly professional. What it will not mention is that the tidy little script it dropped onto your payment page now has a clear view of every card number your customers type, or that the convenient way it stored an order quietly dragged your whole server into PCI scope. The code runs. The demo is flawless. The liability is yours.

This is the precise attack the standard’s newest rules were written to stop, payment-page skimming that nobody noticed because the site never once looked broken. Working software and a secure payment flow are not the same thing, and only one of them turns up in a demo. Telling them apart is what you are actually hiring.

What you will not get here.

No flat quote conjured before anyone has looked at how you take payments. No programme built to secure card data you should never have been keeping in the first place. No attestation signed off by someone who will be unreachable the day your acquirer asks a follow-up question.

We do not take on merchants who want the certificate without the change, because a tidy SAQ sitting over a leaking checkout is not compliance, it is a forgery with extra steps. The attestation has to be true. We are tiresome about that.

Q&A: PCI DSS Basics

article image 8 - PCI DSS
What Is a PCI DSS Consultant?
Someone who works out which version of the standard actually applies to you, reduces your scope so you owe as little of it as possible, fixes what genuinely fails, and walks you to a clean attestation. The good ones cut your card-data footprint before reaching for expensive controls. We have done it solo, end to end, including alongside Cyber Essentials for a business that could not afford a gap.
The Payment Card Industry Data Security Standard: the security rules every business taking card payments must meet, maintained by the card networks’ own standards council. Twelve headline requirements covering how you protect cardholder data, sitting on top of several hundred detailed controls. It is contractual rather than legal, but your bank can stop processing you for ignoring it.
It depends entirely on how card data flows through your business. If your checkout fully outsources payment to a provider and never touches the card number, you get the shortest questionnaire. If your systems see, store or transmit card data, it grows. Picking the right one is the single most important decision in the exercise, and the first thing we get right.
Not a law, no. It is a contractual obligation you accept the moment you agree to take card payments. Enforcement is financial rather than criminal: higher fees, withheld funds, fines passed down by your acquirer, and serious liability if a breach exposes card data. Optional in theory, unavoidable in practice.
It tracks your scope, which tracks how much card data your systems touch. Outsource payment cleanly and the cost is small. Hold card data across your own systems and it climbs through scans, controls and remediation. We price against your real payment architecture, and often the cheapest move is to handle less data rather than buy more security.
Yes, though far less of it. Outsourcing payment to a compliant provider shrinks your obligation to the shortest self-assessment, it does not erase it. You remain responsible for how customers reach that provider, and for not quietly reintroducing card data through a side door. Less burden, not none.
It can build a checkout that works. It will not reliably warn you that the script it added can read card numbers, or that a storage shortcut pulled your server into scope. Functional and compliant are different claims, and only one of them survives an actual assessment.

AI will build your checkout in seconds, but it might hand the card numbers to a stranger.

Find out how much PCI actually applies to you.

Most enquiries start with a worried email from a bank, or a question buried in a customer’s security form. A short call is usually enough to tell you which SAQ you really fall under, how much of the standard you can make vanish by handling less card data, and whether the quote you have been handed is solving the problem or quietly selling around it.

Commonly Asked Questions

Do You Really Guarantee Outcomes?
On eligible projects, yes. A specific commitment with a defined consequence if we miss it. That is not a marketing line, it is what confidence looks like when it is willing to be measured. Not every project qualifies, and we will tell you honestly whether yours does.
For e-commerce and lead generation projects with clear commercial upside, we work at near cost in exchange for a share of the additional revenue we generate. We take a stake in the result because we are confident enough to bet on our own work. It is not offered to everyone. It needs a viable business, a real opportunity, and a straight conversation first.
Based in Warwick, working on site across Warwickshire, Shropshire and the wider Midlands, and remotely across the UK and internationally.

Plenty of security work has to happen in the building: configuring firewalls, securing the network, setting up machines, training the people who actually click the links. We travel for that. Remote where it makes sense, in person where it matters.
Yes, on retainer. Certification lapses, threats move, and staff turn over. Ongoing support keeps the controls in place between annual renewals, handles incidents when they come, and means the person who built your security is the person who maintains it. No ticket queue. No stranger relearning your estate every time.
Both. Alongside client work we build and sell our own tools, like custom systems for e-commerce, with more in development. The same standards apply: built properly, supported directly, and made to do one job well rather than ten jobs badly.

Contact

Location:

Based in Warwick. On site across Warwickshire, Shropshire and the Midlands, remote across the UK and beyond.

Phone:

+44 3330 540 422

Worth Reading. Occasionally.

Infrequent notes on AI, cyber security, performance and what actually moves revenue. No filler, no sales sequence, unsubscribe with one click.

Still Have Questions?

A short call usually answers them faster than email, and tells you where the highest-leverage work actually is. No obligation.