PCI DSS v4 readiness for a UK consumer finance platform

Context

A UK consumer finance platform was preparing to bring a new credit product to market. The product required handling card data; the existing PCI DSS scope was already broad and the operations team was overstretched. Adding the new product without redesigning the data flows would have made PCI scope close to unmanageable.

The brief was: get to PCI DSS v4 readiness, with a smaller scope than the previous certification, in time for the new product launch.

Risk

• Scope-creep risk — without a deliberate redesign the new product would expand the cardholder data environment by ~40%.
• Date risk — the launch window was fixed by the commercial team.
• v4 vs v3.2.1 gap — several v4 controls (continuous validation, customised approach, MFA expansion) were new ground for the operations team.

Engagement

We took the GRC lead role for 18 weeks:

• Weeks 1-3: data-flow redesign — moved card capture to a PCI-compliant tokenisation provider. The platform never sees raw PAN again. Existing flows that handled raw card data were ring-fenced and scheduled for sunset.
• Weeks 4-10: control design and implementation — every v4 new control mapped to an owner, an evidence source, and a quarterly validation cadence. MFA expanded across all cardholder data environment access. Logging consolidated.
• Weeks 11-14: internal readiness — full dry-run with the QSA’s preferred evidence format. 18 findings closed.
• Weeks 15-18: external assessment — QSA on-site, AOC delivered on the contracted date.

Outcome

This case study uses patterns covered in our GRC and Audit Readiness service.