PCI DSS.
v4.0.1 readiness, signed and verifiable.
We prep your business for PCI DSS 4.0.1 — cardholder data environment scoping, SAQ-D completion, network and ASV scans, and the Tier 2 PCI Deliverable with two-party attestation. The deliverable your acquirer or QSA reviews carries a registered practitioner's signature and a timestamp your assessor can verify independently.
One Vault relationship. Every merchant's PCI.
MSSPs, payment-acquirer service providers, and consulting firms running PCI for multiple merchants can consolidate every merchant engagement under one Vault relationship. One billing line. One audit chain per merchant. Hard tenant boundaries between merchants so a misclick never leaks cardholder data context across customers.
The dedicated MSSP console is live today. MSSP admins invite merchants directly from /agency/invite-customer; the practitioner signing your merchants' Tier 2 PCI Deliverables is the same one across the portfolio, under your firm's co-branded cover.
- ▸One umbrella billing relationship — your MSSP, not each merchant, pays Key 102. Per-merchant costs are routed through your existing customer invoicing.
- ▸Per-merchant engagement isolation — every merchant gets its own engagement with its own SAQ-D draft, evidence vault, audit chain, and Tier 2 Deliverable. RLS at the database layer.
- ▸Co-branded deliverables — your MSSP + Key 102 on every Tier 2 PCI Deliverable. The signing practitioner appears alongside your firm on the cover.
- ▸Acquirer-grade verification — every signed deliverable carries a public verify URL. Your merchants' acquirers can confirm authenticity without contacting you.
Hourly QSA-prep bills, replaced by a fixed monthly engagement.
A typical PCI DSS 4.0.1 SAQ-D + readiness engagement runs 100 to 250 consultant hours billed at industry-typical rates ($250 to $500/hr). Merchants with complex cardholder data environments and engagements with significant remediation push higher. The cycle repeats annually.
Tammie walks the SAQ-D in the Mission Brief. Your practitioner reviews quarterly. Same vault, audit chain, and Tier 2 PCI Deliverable pipeline the higher tiers use. Roughly 70 to 90 percent off the hourly model for merchants that fit the SAQ-D profile.
For larger merchant environments, complex CDE scopes, or engagements that need hands-on practitioner work, Managed and Audit Co-Pilot tiers bundle the practitioner hours into a fixed monthly rate. See Vault tiers →
Comparison numbers reflect industry-typical hourly engagements. Your actual savings depend on your scope and the engagement depth you need. We don't quote savings without scoping your environment first.
Every artifact your acquirer or QSA expects.
Cardholder data environment defined under PCI DSS 4.0.1 §1.2. Network diagram, data-flow diagram, and the firewall ruleset export your assessor walks against.
Hardening baselines per §2 + §6. Password and MFA policy per §8. Access control matrix per §7. Each linked to evidence so the assessor doesn't have to ask twice.
Audit logging policy per §10. Quarterly internal + external ASV scan evidence per §11.3. EDR / anti-malware attestations per §5. Vulnerability remediation pipeline tracked.
The signed PDF your acquirer or QSA reads — SAQ-D bundle, methodology, evidence summary, practitioner attestation, customer attestation. Two-party signed. Hash-verifiable via public /verify endpoint.
The same backbone every Key 102 engagement runs on.
Every Tier 2 Deliverable is signed by a named practitioner — name on the page, not an AI byline. PCI QSA sign-off restores as the credential activates.
Practitioner signs first; you sign through a step-up confirmation. Both signatures land in an append-only table.
Every signed deliverable has a public verify URL. Your acquirer or QSA can verify authenticity in their browser.
Reports are sealed by an independent timestamping authority. Date provenance doesn't depend on our word.
Get your PCI done.
Start with the Mission Brief or schedule a 30-minute call. You'll leave with a real timeline, a fixed-price plan, and an honest read on whether Self-Service fits your scope or you need a deeper engagement.