Pristine InfoSolutions delivers end-to-end PCI DSS v4.0 compliance for Saudi merchants, payment processors, banks, fintechs, and e-commerce organisations — from initial scoping and gap assessment through to QSA-supported Report on Compliance (ROC) and Annual SAQ guidance. 100% compliance achievement rate.
PCI DSS applies to any entity that stores, processes, or transmits payment account data — regardless of size, transaction volume, or geography. In Saudi Arabia, Mada and international card brands enforce compliance through acquiring banks.
Acquiring banks, issuing banks, and payment processors handling cardholder data. SAMA Sub-domain 3.2.3 mandated. Highest level of PCI DSS assessment required.
SAQ-D / ROCSAMA-licensed payment service providers, digital wallets, BNPL operators, and money transfer businesses processing Saudi cardholder data.
SAQ-D / SAQ-A-EPSaudi e-commerce platforms accepting online card payments. Scope depends on payment page ownership — redirected payments (SAQ-A) vs hosted payment pages (SAQ-A-EP or SAQ-D).
SAQ-A / SAQ-A-EPPhysical retail merchants using point-of-sale terminals connected to Saudi payment networks including Mada. SAQ type depends on POS configuration and network connectivity.
SAQ-B / SAQ-CTechnology companies whose platforms are used by merchants or processors to store, process, or transmit cardholder data — third-party service providers subject to PCI DSS.
SAQ-D (TPSP)IT and security service providers with access to cardholder data environments or the ability to affect its security — assessed as Third Party Service Providers (TPSPs).
SAQ-D (TPSP)Hotels, airlines, and travel companies accepting card payments in Saudi Arabia — subject to Mada and international card brand compliance requirements.
SAQ-C / SAQ-DSaudi healthcare providers and government entities accepting card payments for services — increasingly subject to PCI DSS as digital payment adoption expands.
SAQ-B / SAQ-CPCI DSS v4.0 organises its requirements into six control objectives spanning network security, data protection, access control, monitoring, and policy governance. Pristine implements every applicable control — with evidence packages formatted for QSA review.
The network security foundation of PCI DSS — defining what constitutes your Cardholder Data Environment (CDE), implementing firewall controls to protect it, and eliminating vendor-supplied defaults. Network segmentation to reduce PCI scope is one of the highest-value activities Pristine performs for Saudi organisations.
The core data protection requirements — ensuring cardholder data is protected at rest (encryption, truncation, tokenisation) and in transit (TLS 1.2+ for all transmissions over open networks). PCI DSS v4.0 significantly strengthens cryptographic requirements with new key management controls.
Protecting CDE systems from malware, unpatched software, and web application vulnerabilities. PCI DSS v4.0 requires a new Targeted Risk Analysis (TRA) approach for many controls — replacing fixed timelines with risk-based frequency determination. Pristine implements compliant TRA processes and vulnerability management programmes across Saudi merchant and payment environments.
PCI DSS access control requirements — ensuring only authorised individuals and systems access cardholder data environments. PCI DSS v4.0 significantly strengthens MFA requirements — expanding phishing-resistant MFA to all access into the CDE, not just remote access.
Ongoing monitoring, testing, and information security policy requirements — ensuring the PCI DSS programme remains effective and responsive to the evolving threat landscape. Includes logging, ASV scanning, penetration testing, and the overarching information security policy framework.
Every PCI DSS service Saudi merchants, banks, and payment organisations need — from initial scoping and gap assessment through to ongoing compliance maintenance.
Define your Cardholder Data Environment (CDE), identify all in-scope systems, and assess current controls against all applicable v4.0 requirements. Scope reduction strategy delivered — often cutting scope by 60-80%.
Expert guidance through SAQ-A, SAQ-A-EP, SAQ-B, SAQ-B-IP, SAQ-C, and SAQ-D completion — the correct SAQ type selected and all questions answered with supporting evidence.
Quarterly Approved Scanning Vendor (ASV) external vulnerability scans of all CDE-connected IP addresses — required for all SAQ types. Scan disputes managed and remediation guidance provided.
Annual internal and external penetration testing of CDE boundaries — aligned to PCI DSS Requirement 11.4. Segmentation testing validating scope reduction. CREST-qualified testers.
Architecture design and implementation to isolate your CDE from other networks — reducing PCI scope and compliance cost. Firewall rule review and documentation aligned to Requirement 1.
Replace stored PANs with tokens — removing cardholder data from your environment and dramatically reducing PCI scope. Encryption key management programme aligned to PCI DSS v4.0 enhanced requirements.
Secure payment page implementation — SAQ-A redirect configuration, script integrity controls for v4.0 compliance, Magecart/e-skimming protection, and 3D Secure (3DS) implementation.
Full QSA-supported Report on Compliance for Level 1 merchants and service providers — on-site assessment, evidence review, and formal ROC and Attestation of Compliance (AOC) issuance.
Year-round PCI DSS compliance management — quarterly ASV scans, quarterly access reviews, patch management tracking, security awareness training, and annual penetration testing coordination.
Three structured PCI DSS programmes for every Saudi organisation — from SAQ self-assessment support to full QSA-supported Level 1 ROC.
Self-Assessment Questionnaire support for smaller merchants — SAQ-A, SAQ-B, or SAQ-C with gap assessment, ASV scans, and expert guidance.
Complete PCI DSS v4.0 compliance programme for SAQ-D merchants and service providers — full gap remediation, ASV, penetration testing, and annual maintenance.
Full QSA-supported Report on Compliance for Level 1 merchants, acquiring banks, and payment processors requiring formal ROC and AOC.
Pristine's PCI DSS practice includes QSA-certified assessors trained and qualified by the PCI Security Standards Council — providing formal assessment services that no unqualified firm can deliver.
Most Saudi merchants significantly over-scope their PCI environments. Pristine's network segmentation strategy typically reduces PCI scope — and therefore cost — by 60-80%, often in the first engagement.
SAMA Sub-domain 3.2.3 requires PCI DSS for financial institutions handling cardholder data. Pristine integrates PCI DSS and SAMA compliance in a single programme — one evidence set satisfying both standards.
PCI DSS v4.0 introduced significant new requirements — script integrity controls, expanded MFA, customised implementation, and targeted risk analysis. Pristine's methodology is fully v4.0 compliant from day one.
Pristine designs and implements tokenisation architectures that remove cardholder data from merchant environments entirely — the most effective PCI scope reduction strategy available for Saudi e-commerce.
Deep understanding of Saudi payment infrastructure — Mada, SPAN, and SADAD — and the specific PCI DSS implementation requirements applicable to Saudi payment network participants.
Pristine reduced our PCI DSS scope from 340 systems to 47 through their network segmentation design. Our annual compliance cost dropped by 65% and our QSA assessment time halved. The SAMA integration meant we satisfied both PCI and SAMA Sub-domain 3.2.3 from one programme. Outstanding value.
We had been trying to achieve PCI DSS SAQ-D compliance for 18 months. Pristine assessed our environment, identified that we qualified for SAQ-A through redirect-only payment processing, and completed our compliance in 3 weeks. The simplification saved us enormous effort and cost. Expert guidance.
Our PCI DSS v4.0 transition was blocked by the new script integrity requirements — we had 23 third-party scripts on our payment pages with no management process. Pristine implemented a complete script authorisation and integrity verification programme in 6 weeks. v4.0 compliant before the March 2025 deadline.
Request a free PCI DSS scoping call — our QSA-certified assessors will determine your correct SAQ type, estimate your compliance scope, and identify the fastest path to compliance at no cost.
A senior Pristine specialist will contact you within 4 business hours. All assessments are conducted under NDA.
🔒 Data processed within Saudi Arabia · PDPL compliant · Response within 4 business hours