How we can help
Claranet’s PCI Qualified Security Assessors (QSAs) help organisations at every stage of their PCI DSS journey – whether you’re validating compliance for the first time, re-certifying annually, or making architectural changes to modernise your payment environment.
Why Claranet
Practical, pragmatic experts who never take a tick-box approach.
PCI DSS shouldn’t be about blindly following a list. Our QSAs understand the intent behind the requirements, which means we can help you meet the standard in ways that work in real environments.
Technical expertise
Our team is very technical, which makes a big difference when dealing with:
- Multi-cloud and hybrid infrastructure
- Hosted platforms and third-party payment service providers
- Tokenisation, P2PE, and secure card capture flows
- EPOS platforms and large distributed retail estates
Where deeper technical input is required, we can also pull in Cloud, Networking, and Security specialists from across Claranet to help solve the problem — not just point at it.
Built to support your wider security strategy
PCI DSS doesn’t sit on its own. Our QSAs also work with ISO 27001, NIST, NIS2 and other frameworks, so the advice you get will make sense in the context of your broader security and compliance efforts — not create duplicate work.
How we work
From this, we’ll produce a clear, realistic roadmap.
Before you start implementing controls or preparing for an assessment, it’s essential to understand exactly what is in scope. We begin with a Cardholder Data Environment (CDE) mapping exercise to:
- Identify payment channels and data flows
- Confirm whether you qualify for SAQ self-assessment or require a Level 1 ROC
- Determine which PCI requirements apply to your systems and third parties
- Highlight where scope can be reduced through redesign, segmentation, or process changes
Once scope is clear, we compare your current setup against the PCI DSS requirements. You’ll get a practical, prioritised action plan that your technical and operational teams can actually work with — without guesswork.
This isn’t just a checklist — we look at:
- What you’re already doing well
- Where controls are missing
- Any policy or procedural gaps
- Technical work required
When you are ready to certify compliance, we perform the necessary assessment. Our team has extensive experience working with multiple acquirers and processor relationships, and can manage these conversations on your behalf.
- Level 1 merchants and service providers:
We produce the formal Report on Compliance (ROC) and Attestation of Compliance (AOC), liaising directly with acquirers and card brands where required.
- SAQ-eligible organisations:
We offer Assisted-SAQ support, guiding you through the evidence requirements, helping interpret the controls, and ensuring the SAQ is completed correctly.
We understand that different acquiring banks, payment schemes, and Qualified Security Assessors have different expectations around evidence, scoping positions, and sampling.
With PCI Credits, you simply call us when something comes up. Time is purchased up front and used in 15-minute chunks, so you only pay for what you actually use.
- Architectural questions
- Evidence prep
- Internal reviews
- Policy wording
- Responding to third party queries
Some organisations need more than just advice — they need ongoing, hands-on leadership of the PCI programme.
Our PCI as a Resource service places an experienced consultant into your organisation as part of your team. They can:
- Lead the PCI DSS project and governance activities
- Help prioritise remediation work and assign ownership
- Conduct internal training and awareness
- Assist in control implementation and documentation
- Coordinate the effort across technology, operations, and security teams

