Global Trust Index99.8%|
EU Regulatory SyncActive|
Network Latency12ms|
Uptime (90d)99.997%|
Threat PostureNominal|
DORA ReadinessCompliant|
Edge Nodes47 / 47|
Global Trust Index99.8%|
EU Regulatory SyncActive|
Network Latency12ms|
Uptime (90d)99.997%|
Threat PostureNominal|
DORA ReadinessCompliant|
Edge Nodes47 / 47|
Bergson

Compliance & audit readiness

PCI DSS evidence that holds up in a QSA review.

We work with payment platforms and fintechs on PCI DSS scoping, evidence and remediation — focused on what the QSA, acquirer or card brand will actually ask to see. Bergson supports your QSA review; we are not a QSA.

When this matters

PCI DSS pressure usually arrives via an acquirer question, a SAQ D submission, a QSA finding or a cloud architecture change that puts CDE scope back on the table.

What we cover

Scope of work

PCI DSS readiness

  • Applicability and SAQ-type confirmation
  • Gap analysis against PCI DSS v4.x
  • Roadmap to evidence completeness
  • Stakeholder and team workshop

Cardholder data environment scoping

  • Data flow mapping for card data
  • CDE boundary and connected systems
  • Storage minimisation review
  • Tokenisation and outsourcing review

Segmentation & cloud network

  • Network and account segmentation review
  • Cloud-native segmentation evidence
  • Segmentation testing approach
  • Shared responsibility mapping

Vulnerability & ASV evidence

  • Vulnerability management evidence
  • ASV scan coordination and remediation
  • Internal scan and pen test evidence
  • Patch and SLA tracking

Access, change & configuration

  • Privileged access controls and reviews
  • Change management evidence
  • Secure configuration baselines
  • TLS and cryptography evidence

Audit-ready workbooks

  • SAQ D evidence workbook
  • Control owner mapping
  • Traceable artefacts per requirement
  • QSA-ready evidence walkthrough

What good looks like

A defensible CDE scope, with evidence mapped per requirement and owned by the team that runs the platform.

  • A defensible CDE scope with documented data flows
  • Evidence workbooks mapped cleanly to each requirement
  • Cloud and segmentation evidence ready for the QSA
  • An annual PCI cycle the team can run themselves

Common red flags

Patterns we see most often.

  • CDE scope is assumed rather than evidenced
  • Cloud segmentation is not documented
  • ASV findings are treated tactically
  • Access reviews are inconsistent
  • Change evidence is fragmented across tools
  • SAQ answers are not backed by artefacts

Next step

Talk to Bergson about this work

Most engagements start with a short call to understand the deadline, the team and the constraints.

Start the conversation