Bergsonscrolled

Compliance & audit readiness

PCI DSS evidence that holds up in a QSA review.

We work with payment platforms and fintechs on PCI DSS scoping, evidence and remediation — focused on what the QSA, acquirer or card brand will actually ask to see. Bergson supports your QSA review; we are not a QSA.

When this matters

PCI DSS pressure usually arrives via an acquirer question, a SAQ D submission, a QSA finding or a cloud architecture change that puts CDE scope back on the table.

Scope

What we cover.

01

PCI DSS readiness

  • Applicability and SAQ-type confirmation
  • Gap analysis against PCI DSS v4.x
  • Roadmap to evidence completeness
  • Stakeholder and team workshop
02

Cardholder data environment scoping

  • Data flow mapping for card data
  • CDE boundary and connected systems
  • Storage minimisation review
  • Tokenisation and outsourcing review
03

Segmentation & cloud network

  • Network and account segmentation review
  • Cloud-native segmentation evidence
  • Segmentation testing approach
  • Shared responsibility mapping
04

Vulnerability & ASV evidence

  • Vulnerability management evidence
  • ASV scan coordination and remediation
  • Internal scan and pen test evidence
  • Patch and SLA tracking
05

Access, change & configuration

  • Privileged access controls and reviews
  • Change management evidence
  • Secure configuration baselines
  • TLS and cryptography evidence
06

Audit-ready workbooks

  • SAQ D evidence workbook
  • Control owner mapping
  • Traceable artefacts per requirement
  • QSA-ready evidence walkthrough

What good looks like

A defensible CDE scope, with evidence mapped per requirement and owned by the team that runs the platform.

  • 01A defensible CDE scope with documented data flows
  • 02Evidence workbooks mapped cleanly to each requirement
  • 03Cloud and segmentation evidence ready for the QSA
  • 04An annual PCI cycle the team can run themselves

Common triggers

Why teams typically bring us in.

  • CDE scope is assumed rather than evidenced
  • Cloud segmentation is not documented
  • ASV findings are treated tactically
  • Access reviews are inconsistent
  • Change evidence is fragmented across tools
  • SAQ answers are not backed by artefacts

Related services

Adjacent work teams often pair this with.

Have a deadline pressing on you?
Tell us the gap.

Most engagements start with a short call to understand the deadline, the team and the constraints.

Book a consultation

Bergson Limited is registered in Ireland. We are not auditors, QSAs, or legal advisers. We help technology teams produce the evidence those stakeholders need.