A retailer with both stores and a growing online business came to us because PCI DSS had become a tax on everything they did. Card details flowed through their own systems in more places than anyone had intended, which meant the assessment touched almost the entire estate. Every server, every integration, every loosely connected back-office box was potentially in scope, and the annual exercise had turned into a slow, expensive ordeal that taught them little about whether they were actually safer.
The real problem was not the standard. It was that the business was handling card data in places it had no business need to. The cheapest data to protect is the data you never hold, and that became the guiding idea.
The challenges we had to solve
- Nobody could draw an accurate picture of where card data was captured, where it flowed, and where it came to rest. Scope is impossible to argue without that.
- The card environment was not separated from the rest of the network, so ordinary systems were dragged into a stringent assessment for no good reason.
- Some flows touched the full card number where a token or a redirect to a validated provider would have done the job just as well.
- The retailer needed a path it could keep clean over time, not a one-off reshuffle that would silently sprawl back to where it started.
How we approached it
We traced the card data honestly, end to end, and built the picture that should have existed all along. With that in hand, the priority was obvious: move capture to a validated payment provider and tokenisation wherever we could, so the business worked with tokens rather than real card numbers, and the systems that no longer touched card data fell out of scope entirely. Where card flows had to remain, we segmented that environment off from everything else, so the stringent requirements applied to a small, well-defined island rather than the whole estate.
The effect on the assessment was the point: a much smaller footprint, a self-assessment that matched a business that genuinely held far less, and controls documented as they really operate rather than asserted across systems nobody could vouch for. We were careful not to oversell it. Outsourcing capture does not make PCI disappear; the capture point and the provider relationship still matter, and we said so. The validation is the retailer’s to maintain; our work was making it match a smaller, more honest reality.
Where it stands
The retailer now holds far less card data than it did, and the systems that no longer touch it are out of the conversation. The annual assessment reflects a smaller, clearer environment, and the team understands why each remaining control exists. PCI stopped being a tax on the whole business and became a manageable obligation around the one part that actually handles payments.