Owning and Maturing a PCI DSS Level 1 Compliance Program

Challenge

A payments technology company processing transactions for enterprise clients maintained PCI DSS Level 1 certification — the most rigorous tier, requiring a full Report on Compliance (ROC) with a Qualified Security Assessor (QSA). The organization needed leadership that could bring deep institutional knowledge, cross-functional technical expertise, and long-term stability to the compliance function.

Approach

• Transitioned into compliance leadership as a founding-team member with 10+ years of IT and development experience at the organization, providing unmatched operational context
• Pursued CISM certification to formalize security management expertise before assuming the role
• Took full ownership of the PCI DSS Level 1 program: QSA liaison, evidence collection, findings response, and executive reporting
• Architected Cardholder Data Environment (CDE) network segmentation in coordination with engineering
• Expanded and matured the program to support multiple operating entities simultaneously
• Built a sustainable annual audit cycle that scales with organizational growth

Outcome

• Maintained PCI DSS Level 1 certification annually with strong audit results
• Program matured to support three operating entities simultaneously
• Led gap assessment and remediation roadmap for PCI DSS 4.0 migration — one of the most significant compliance transitions in payments in a decade
• QSA engagement runs efficiently with minimal external consulting cost due to strong internal evidence management