PCI DSS Compliance India — QSA Consulting & Certification Support

eShield Consulting provides expert PCI DSS compliance services for Indian businesses that process, store, or transmit payment card data. Our certified consultants guide organisations through PCI DSS v4.0 gap assessment, remediation, SAQ completion, and QSA-led certification audits.

Who Needs PCI DSS Compliance in India?

Any organisation that processes Visa, Mastercard, RuPay, or other card brand payment data in India is subject to PCI DSS. This includes merchants, payment aggregators, payment gateways, banks, NBFCs, fintech companies, e-commerce platforms, and service providers that handle cardholder data on behalf of merchants.

Our PCI DSS Services in India

• PCI DSS Gap Assessment — Evaluate your current environment against all 12 PCI DSS requirements. Deliverable: compliance gap report with prioritised remediation plan.
• Cardholder Data Environment (CDE) Scoping — Identify, document, and minimise the scope of systems in scope for PCI DSS.
• SAQ Assistance — Guide eligible merchants through Self-Assessment Questionnaire (SAQ A, A-EP, B, B-IP, C, C-VT, D) completion.
• Penetration Testing for PCI DSS — Annual penetration testing required by PCI DSS Requirement 11.4.
• Network Segmentation Review — Validate network segmentation controls that reduce PCI DSS scope.
• ASV Scan Coordination — Coordinate quarterly external vulnerability scans with an Approved Scanning Vendor (ASV).
• QSA Audit Support — Prepare documentation, evidence packages, and staff for on-site QSA assessments.
• Remediation Support — Technical assistance implementing required controls across all 12 PCI DSS requirements.

PCI DSS v4.0 — What Changed for Indian Businesses

PCI DSS v4.0 (effective March 2024) introduced significant changes including enhanced multi-factor authentication requirements, targeted risk analysis, new web-skimming protections (Requirement 6.4.3 for e-commerce), expanded penetration testing requirements, and a customised approach for mature organisations. Indian payment processors must now achieve v4.0 compliance.

PCI DSS Compliance Cost in India

PCI DSS consulting for Indian organisations typically ranges from ₹2,00,000 (Level 4 merchants, SAQ-based) to ₹20,00,000+ (Level 1 service providers requiring formal QSA audits). RBI mandates that payment aggregators and gateways achieve PCI DSS Level 1 compliance. eShield provides fixed-scope pricing with full transparency.

Start Your PCI DSS Compliance →

Frequently Asked Questions — PCI DSS India

Is PCI DSS mandatory in India?

PCI DSS compliance is mandatory for Indian payment aggregators and payment gateways under RBI’s Master Directions on Payment Aggregators. All entities processing card data for international card brands (Visa, Mastercard) must comply per card brand mandates. RuPay and NPCI also require PCI DSS for entities processing their card data.

What is the difference between SAQ and a formal QSA audit?

A Self-Assessment Questionnaire (SAQ) is a self-certification process available to smaller merchants and service providers meeting specific eligibility criteria. A formal QSA (Qualified Security Assessor) audit involves an independent assessment by a PCI SSC certified QSA company, resulting in a Report on Compliance (RoC). Level 1 service providers and large merchants must undergo formal QSA audits.

PCI DSS v4.0 — What Changed

PCI DSS v4.0, released in March 2022 with a mandatory transition deadline of March 2025 (v3.2.1 retired), introduces significant changes: 64 new requirements, expanded multi-factor authentication (MFA) requirements, phishing-resistant MFA for all cardholder data environment (CDE) access, 8-character minimum password requirement increased to 12 characters, new targeted risk analysis (TRA) approach giving organisations flexibility in implementation timelines, and new requirements around web-based payment page integrity monitoring (Requirement 6.4.3 and 11.6.1) targeting JavaScript skimming attacks like Magecart.

PCI DSS Scope and CDE Definition

Scope reduction is the single most effective way to lower PCI DSS compliance cost. The Cardholder Data Environment (CDE) includes all system components that store, process, or transmit cardholder data, plus any system that can impact the security of the CDE. eShield Consulting scoping assessment identifies: in-scope systems and networks, scope reduction opportunities through tokenisation and point-to-point encryption (P2PE), segmentation controls to isolate the CDE from out-of-scope networks, and compensating controls for legacy systems that cannot meet specific requirements. A well-scoped PCI DSS programme can reduce assessment costs by 40-60% compared to a broad-scope engagement.

PCI DSS Compliance Costs in India

PCI DSS compliance costs vary by merchant level and scope. Level 4 merchants (fewer than 20,000 e-commerce transactions or 1 million total Visa/Mastercard transactions per year) require a Self-Assessment Questionnaire (SAQ) and quarterly network scans by an Approved Scanning Vendor (ASV). Total cost for Level 4: ₹2,00,000 to ₹5,00,000 per year. Level 1 merchants and service providers require a Report on Compliance (RoC) by a PCI SSC-certified Qualified Security Assessor (QSA). Total cost for Level 1: ₹15,00,000 to ₹50,00,000 per year depending on scope. eShield provides QSA-ready documentation and gap remediation at fixed fees.