Achieve PCI-DSS Compliance in 90 Days
Your roadmap from CDE scoping to signed Attestation of Compliance. Cardholder data protection, segmentation, vulnerability scans, and QSA coordination — starting at $2,600 (STACK Compass).
The full 90-day PCI-DSS program
Baseline assessment, 12-requirement control mapping, CDE roadmap, and optional vCISO acceleration — everything from initial scoping to AOC.
STACK Compass Assessment
Baseline audit of your current state: cardholder data environment (CDE) coverage, gaps, implementation effort.
$2,600
Control Mapping
Map PCI-DSS 12 requirements to your systems and processes. Identify quick wins vs. engineering work.
Included
Implementation Roadmap
Week-by-week plan: CDE segmentation, cardholder data protection, vulnerability scanning, access controls.
Included
Hands-On Support (Optional)
Named vCISO + project management + weekly check-ins. PCI-DSS-specific guidance included.
+$7,500–$11,000
Gap analysis. Roadmap. Implementation. Assessment-ready.
Four phases from blank CDE scope to a signed Attestation of Compliance (AOC) or Report on Compliance (ROC).
1 · Gap Analysis (Weeks 1–2)
Goal: Understand your CDE and compliance posture.
- Run STACK Compass for PCI-DSS 12 requirements
- Map your cardholder data environment (CDE)
- Identify gaps: missing controls, vulnerabilities, evidence
- Estimate implementation effort per requirement
- Determine scope (service provider vs. merchant)
Deliverable: PCI-DSS gap report (25–35 pages)
2 · Roadmap (Week 3)
Goal: Define your path forward.
- Map PCI-DSS requirements to your CDE
- Create PCI policies and procedures (templates provided)
- Plan cardholder data encryption and access controls
- Define vulnerability scanning and penetration testing schedule
- Align timeline with QSA audit schedule
Deliverable: Roadmap + control mapping matrix
3 · Implementation (Weeks 4–8)
Goal: Build your PCI program.
- Deploy PCI controls (segmentation, encryption, access controls, monitoring)
- Implement cardholder data protection measures
- Document control evidence and audit trails
- Conduct vulnerability scans and penetration testing
- Remediate findings
Deliverable: Control evidence + audit documentation
4 · Assessment Ready (Weeks 9–12)
Goal: Pass your QSA assessment.
- Final internal audit (find last-minute gaps)
- Prepare for QSA assessment
- Coordinate on scope and timeline
- Receive PCI-DSS attestation or Report on Compliance
Deliverable: AOC or ROC
Payment-focused, faster, cheaper
Three reasons merchants and service providers switch from horizontal platforms to a purpose-built PCI program.
5 Months Faster
90 days to assessment-ready vs. Vanta's 6+ months. Meet your compliance deadline.
1/10th the Cost
$2.6k (STACK Compass) + $7.5–11k (hands-on) = ~$10.1k–$13.6k total. Vanta: $30k+/year.
Payment-Focused
Specialized for payment card data protection, CDE segmentation, cardholder security controls.
Pick the tier that matches your team
From DIY assessment to fully-managed acceleration with QSA coordination to ongoing CISO retainer.
Self-Service (DIY)
Price: $2,600 (STACK Compass)
Best if you have PCI expertise in-house or a strong security team.
Timeline: 120–180 days
Hands-On Acceleration · Recommended
Price: $10,100–$13,600 total (Compass + Acceleration)
Named vCISO, weekly check-ins, CDE implementation guidance, QSA coordination.
Timeline: 90 days to assessment-ready
Add Ongoing Support
Price: +$5,000–$10,000/month (CISO Office Hours)
After assessment, sustain your program with governance, policy reviews, and incident response.