Skip to content
FUNCSHUN Cybersecurity
PCI DSS Compliance

Card data, locked down.

Taking cards means living under PCI DSS. Our compliance work is led by a PCI SSC-certified Internal Security Assessor (ISA) — so your scoping, segmentation, and self-assessment are guided by someone formally trained by the PCI Security Standards Council, not run off a generic checklist.

Book your strategy callTalk to an engineer

15-minute call · senior engineer · no obligation

ISA
On staff
PCI SSC-certified Internal Security Assessor.
v4.0.1
Current standard
Future-dated requirements, planned for.
Scope ↓
Smaller CDE
Segmentation that cuts cost and risk.
01What's included

An ISA-led PCI program.

  • 01Cardholder data environment (CDE) discovery and scoping
  • 02Network segmentation to shrink scope and audit cost
  • 03Right-sizing your SAQ (A, A-EP, D…) or QSA/ROC path
  • 04ISA-led internal readiness review against PCI DSS v4.0
  • 05Remediation: MFA, logging, encryption, and change control
  • 06Evidence collection and Attestation of Compliance (AOC) support
  • 07QSA liaison for Level 1 Report on Compliance (ROC)
02How we work

Scope it down, then prove it.

01
Scope

Find every system that stores, processes, or transmits cardholder data.

02
Segment

Isolate the CDE so the rest of your network falls out of scope.

03
Assess

ISA-led readiness review against every applicable PCI DSS requirement.

04
Validate

Complete the right SAQ and AOC — or prep and liaise with a QSA for a ROC.

03FAQ

Questions, answered.

What does a PCI ISA actually bring?+

An Internal Security Assessor is an individual certified through the PCI Security Standards Council's ISA program to assess PCI DSS controls. Having one lead your program means the same rigor a QSA applies — scoping judgment, evidence standards, and control interpretation — guiding your team well before you face an external assessor.

Do we need a QSA, or can we self-assess?+

It depends on your card volume and acquirer. Most small and mid-sized merchants validate with a Self-Assessment Questionnaire (SAQ) and an Attestation of Compliance; Level 1 volumes require a QSA-signed Report on Compliance. We determine your path and prepare you for whichever applies.

How do we reduce PCI scope?+

Segmentation, and not storing card data you don't need. We isolate the cardholder data environment and push as much of your network out of scope as possible — which lowers both your risk and the cost of staying compliant.

What changed with PCI DSS 4.0?+

More prescriptive authentication (including MFA), expanded logging, targeted risk analyses, and new controls for e-commerce payment scripts. Several requirements became mandatory in 2025 — we make sure you're already meeting them.

Get started

Ready when you are.

Book a 15-minute introduction call. Walk away with a clear next step — whether you work with us or not.

Book your strategy callTalk to an engineer

15-minute call · senior engineer · no obligation