r/pcicompliance

We currently provide PCI DSS consultancy services primarily for merchants falling under SAQ A, where ASV scanning is not required. Recently, we onboarded a client that falls under SAQ A-EP, so an ASV scan became necessary.

Since we are not an ASV ourselves, we approached a few ASV providers for a scan on a single domain. One provider mentioned that pricing is not based on the number of domains/IPs, but rather on the effort involved in generating and managing the report.

I wanted to understand from others in the industry:

- Is this the standard pricing model for ASV services?

- For a relatively straightforward single-domain requirement, what is the typical cost range businesses are paying?

- Are there ASV providers that support partner/third-party managed scanning models for consultants or MSPs?

The compliance side is already covered internally; we are mainly looking for a practical and scalable ASV scanning approach for occasional SAQ A-EP clients.

At Acmeminds, we are seeing many healthcare platforms expand their PCI scope unintentionally because of recurring billing, patient portals, third party billing vendors, and custom payment APIs.

The biggest issues usually come from:

• card data touching internal services
• weak segmentation between payment and application layers
• incomplete audit logging
• overprivileged admin access
• legacy integrations storing sensitive payment metadata

One approach we recommend is keeping payment processing fully isolated using tokenized hosted payment fields and segmented payment microservices so cardholder data never enters the core healthcare application environment.

This significantly reduces PCI scope and makes audits much easier without affecting the patient payment experience.

How is your organization approaching PCI compliance today - architecture first, or compliance remediation after deployment?

I work for a small marketing agency and we are trying to get our PCI compliance in order. We have one site where we are the actual merchant, so we have a couple questions regarding that, but our main questions are regarding our obligations as a hosting provider. We have a dedicated server where we host our client's sites and some of them link out to e-commerce sites or they accept payment via a WordPress plugin. I have been trying to navigate this with LLM's, but my boss wants me to focus on other things that are on my plate (I am a developer, he would like me to go back to developing) and is OK with hiring someone to help us figure this all out. Does anyone have any recommendations on who we can contact to help answer some of these questions so and hold our hand through the process? Also, any idea roughly how much it will cost just for a consultation like this? Even trying to figure out who to reach out to has been a struggle as it seems like PCI scope should be relatively low. We don't want to spend thousands of dollars if we just need PCI SAQ A for one site and minimal action for all our other sites.

I keep hearing stories where teams feel audit-ready until scoping or evidence collection starts and major gaps appear.

Curious what issues people see most often now, especially during PCI DSS 4.0 transitions.

Our vCISO said we need to start following PCI requirements because we handle credit card data, but I wanted to make sure I understand what is actually required. He said we need quarterly vulnerability scans and a penetration test once a year. I was curious how common this is and whether other companies that process or store cardholder data are doing the same thing.

We are a smaller company, so this is still pretty new to us. Our vCISO said we should start getting our security program in order now, including things like access controls, vulnerability management, secure development practices, evidence collection, quarterly scans, and an annual pentest. He also mentioned that depending on how we handle cardholder data, we may need to complete a PCI SAQ or go through a more formal PCI assessment.

For the pentest, we got quotes from two companies, but I am not sure what the average price should be. Our environment is pretty small, but the quotes were very different. Someone recommended NCC Group, and they gave us a $40k quote, which seems very expensive. We also got a quote from StealthNet AI for $6.5k, which seems more reasonable.

I am curious what other people have paid for penetration testing when preparing for PCI. Are quarterly scans and a yearly pentest standard if you handle credit card data, or does it depend on your exact PCI scope?

I’ve been tasked with creating fresh network and data flow diagrams.

What are recommended styles/stencils, designs? I have Visio.

Thanks for the advice.