PCI DSS Compliance Support for Merchants & Service Providers
We help retailers, restaurants, e-commerce operators, and service providers scope their cardholder data environment, harden it against the controls PCI DSS expects, and assemble the evidence to back it up.
The fastest way to fail a PCI assessment is to mis-scope it.
The Payment Card Industry Data Security Standard governs how cardholder data is stored, processed, and transmitted. Most merchants don’t actually know which systems are in scope, which questionnaire applies to them, or what the card brands and acquiring bank actually require. That ambiguity is where the work — and the risk — hide.
Technical Framework helps you cut the scope to the smallest defensible footprint, harden what’s in it, and produce documentation that survives the questions an acquirer or QSA will ask.
Who needs PCI support
If you accept payment cards in any form, PCI DSS applies — even if you’ve outsourced payment processing.
Restaurants & Hospitality
E-commerce & D2C Brands
Service Providers (SaaS, hosting, billing)
Healthcare Practices accepting cards
B2B Companies with online portals
Membership & Recurring-Billing Operators
PCI levels — quick reference
Validation requirements vary by transaction volume. The right path depends on your level and how you accept cards.
| Level | Approximate volume (per year) | Typical validation path |
|---|---|---|
| Level 1 | >6M card transactions | Annual on-site assessment by a QSA + quarterly ASV scans |
| Level 2 | 1M – 6M transactions | Annual SAQ or QSA assessment depending on brand + quarterly ASV scans |
| Level 3 | 20K – 1M e-commerce transactions | Annual SAQ + quarterly ASV scans |
| Level 4 | <20K e-commerce or <1M total | Annual SAQ; ASV scans may be required by the acquirer |
Card brands set the volume thresholds and may impose different requirements. Your acquiring bank is the source of truth for your specific obligations.
How Technical Framework supports your PCI DSS readiness
Our PCI-aligned services map across the 12 PCI DSS requirements.
CDE Scoping & Segmentation
Map every system that stores, processes, or transmits cardholder data, plus everything connected to it. Then design segmentation that shrinks scope.
Network & Firewall Hardening
Firewall configuration baselines, secure remote access, default-deny rules, and documented review cadence — Requirements 1 and 2 territory.
Vulnerability Management
Patch management, configuration baselines, internal vulnerability scanning, and coordination with an Approved Scanning Vendor (ASV) for external scans.
Access Control & MFA
Role-based access, unique IDs, multi-factor authentication for administrative and remote access, and documented user lifecycle management.
Logging & Monitoring
Centralized log collection, retention aligned to PCI DSS, alerting on critical events, and the audit trails Requirement 10 expects.
File Integrity & Change Detection
Change-detection on critical system files, configuration drift monitoring, and documented change management.
Encryption & Key Management
TLS configuration reviews, encryption-at-rest where applicable, secure key handling, and documentation of cryptographic controls.
SAQ Selection & Completion Support
Help choosing the correct Self-Assessment Questionnaire, walking through it line by line, and gathering the evidence each control requires.
Workforce Training & Phishing Tests
Annual security awareness training and phishing simulations — Requirement 12 expectations, with records preserved.
Incident Response Planning
Written response plans, defined roles, tested communications paths, and forensic-ready logging — so a card-data incident doesn’t become a crisis.
Vendor & Service Provider Management
Inventory of every third-party that touches cardholder data, AOCs on file, and a recurring review cadence.
Documentation & Evidence Library
Policies, procedures, system diagrams, data-flow diagrams, and the kind of evidence library that turns a year-end SAQ from frantic into routine.
Common PCI gaps we see during onboarding
- Wrong SAQ chosen. Companies submit SAQ A when their integration actually requires SAQ A-EP — or worse, full SAQ D.
- Flat networks. The POS terminal, the back-office PC, and the guest Wi-Fi share one segment. PCI scope balloons.
- ASV scans failing for years. Quarterly scans were set up once, then never rerun, never reviewed, never remediated.
- Default credentials still in place. On firewalls, switches, payment terminals, or the POS database.
- Missing data-flow diagrams. No one can answer “where does the card number actually go?” — and PCI DSS expects you to.
- No incident-response plan. Or one that exists on paper only, never tested, never trained against.
- Service-provider AOCs not collected. The processor, the gateway, the SaaS billing platform — none of their Attestations of Compliance are on file.
Schedule a PCI scoping call
A 30-minute conversation, no commitment. We’ll walk through how you
accept cards, where your scope likely is, which SAQ you should be on,
and the highest-impact gaps to close first.
Technical Framework is an IT services company. We are not a Qualified
Security Assessor or an Approved Scanning Vendor. Information on this
page is general guidance, not legal or compliance advice. Your specific
obligations depend on your level, how you accept cards, and your
acquiring bank’s requirements — confirm with your acquirer and, where
required, a credentialed third party.
