QSA Company since 2006
First in Australia to be certified by the PCI Security Standards Council. Two decades of assessor experience across every card brand and transaction volume.
Advisory
PCI DSS Consulting & Compliance
Australia's first certified QSA Company. Twenty years of PCI DSS assessments, pen tests and v4.0 script monitoring for merchants, service providers and banks.
From cardholder data to signed Report on Compliance.
Vectra became Australia's first certified QSA Company in 2006 and has supported more than 80% of ASX-200 organisations through their PCI DSS programs. Our assessors write the Report on Compliance that acquiring banks and card schemes accept first-time. Services span from pre-assessment gap analysis and scope minimisation through full Level 1 assessment, DSS v4.0 script monitoring (requirements 6.4.3 and 11.6.1), segmentation testing (11.4), ASV quarterly scans (11.3.2) and annual re-assessment. We operate from five Australian offices - Sydney, Melbourne, Adelaide, Perth and Brisbane - across retail, financial services, insurance, gaming and third-party service provider sectors.
Deep dive into the capabilitiesQSA since
2006
ASX 200 customers
80%+
DSS version
v4.0covered
Offices across AU
5
Why acquirers trust our QSAs.
The same named team stays with you from kick-off through delivery. Engagements are shaped to your risk profile, not our template library.
Proven across ASX 200
More than 80% of Australia's top listed organisations have used Vectra for PCI DSS assessment, SAQ support, ASV scanning or pen testing.
Designed for sign-off
Reports are written to satisfy your acquirer's reviewer first submission. No template content, no generic risk language, no back-and-forth revisions.
Scoped to your business
Whether you're Level 1 or Level 4, merchant or service provider, we right-size the engagement and the control footprint to your actual risk.
The six-step path to a signed RoC.
Every engagement follows the same six-step CREST-aligned methodology. You get visibility into every phase and an audit trail of every action taken by the test team.
-
01
Scope & risk evaluation
Establish merchant level, CDE footprint, SAQ type and acquirer expectations before any control work begins.
-
02
Gap analysis
Document current state against all 12 DSS requirements and produce a prioritised remediation roadmap.
-
03
Remediation
Pragmatic uplift of controls, system hardening, policies and evidence collection aligned to the roadmap.
-
04
Validation
Penetration testing, ASV scans, segmentation testing and process walk-throughs confirm control effectiveness.
-
05
Assessment
Formal QSA-led assessment producing the Report on Compliance and Attestation of Compliance for submission to acquirers.
-
06
Maintain
Annual re-assessment, v4.0 requirement uplifts, change reviews and continuous compliance support across the program.
PCI services under one QSA Company.
No tiered upsells, no "platinum" package. What you see is what you get - one contract, one team, one number to call.
Full Level 1 assessments
On-site QSA-led audits for merchants and service providers producing an acquirer-accepted Report on Compliance and Attestation of Compliance.
Assisted SAQ
Self-Assessment Questionnaire preparation and review for Level 2-4 merchants - we do the mapping, you sign the attestation.
Gap & scope reviews
Pre-assessment current-state review with a prioritised remediation plan and scope-minimisation recommendations.
ASV vulnerability scans
Quarterly external scans against DSS 11.3.2 via our in-house Approved Scanning Vendor capability - one vendor, one contract.
Penetration testing
Application, infrastructure and segmentation testing aligned to DSS 11.4 and the broader 11.x requirements.
Script monitoring (v4.0)
e-Commerce page script inventory and tamper detection for DSS v4.0 requirements 6.4.3 and 11.6.1 effective 31 March 2025.
What you gain with an integrated QSA partner.
Every engagement runs through a unified portal. Scope, schedule, consume findings and measure the program across years of history - without a single PDF attachment hitting your inbox.
All 12 DSS requirements covered
End-to-end guidance on every requirement with clear implementation pathways mapped to your environment - not a tick-and-flick checklist.
Independent assessor credibility
Vectra QSAs are registered with the PCI Security Standards Council and named on your Report on Compliance at submission.
Scope minimisation
Design patterns that legitimately cut the CDE footprint - reducing control obligations without shifting risk to untested boundaries.
DSS v4.0 script monitoring
Coverage of the 6.4.3 and 11.6.1 e-commerce script requirements effective from 31 March 2025 - tooling, monitoring and attestation ready.
In-house ASV scanning
Approved Scanning Vendor capability for requirement 11.3.2 - no third-party coordination, no second vendor to manage.
Continuous compliance
Annual re-assessment, change management reviews and interim attestation support to maintain status between cycles.
The result when the assessment lands.
Measurable, reportable, auditable - every outcome tracks to a control in your compliance framework.
-
Signed Report on Compliance accepted by the acquiring bank first submission
-
Cardholder data environment demonstrably secured against DSS v4.0 risk objectives
-
Clear understanding of every DSS requirement as it applies to your specific business model
-
Minimised CDE footprint through design patterns that legitimately reduce control burden
-
Evidence pack suitable for card scheme audit, acquirer review and internal board reporting
PCI credentials we hold.
QSAC
QSA
ASV
PCI SSC Member
PCI DSS v4.0
CREST
ISO 27001
IRAP
QSAC
QSA
ASV
PCI SSC Member
PCI DSS v4.0
CREST
ISO 27001
IRAP
PCI DSS questions we hear most weeks.
Can't find the answer here? The team responds to scoping queries within one business day - usually faster.
Ask the team directlyWhat is PCI DSS and does my business need to comply?
PCI DSS is the Payment Card Industry Data Security Standard - a contractual requirement for any organisation that stores, processes or transmits payment card data. Regardless of whether you use a third-party processor, if card data touches your systems at any point you carry compliance obligations.
What's the difference between an SAQ and a full QSA assessment?
Merchant level dictates the path. Level 1 merchants (6M+ transactions / year) and most service providers require an annual QSA-led assessment and Report on Compliance. Levels 2-4 can complete a Self-Assessment Questionnaire matching their card-acceptance channels - we can assist either path.
Are you an Approved Scanning Vendor?
Yes. Vectra holds PCI SSC ASV accreditation and runs quarterly external network scans in-house against DSS requirement 11.3.2 - no third-party coordination required.
When do the DSS v4.0 script monitoring requirements take effect?
Requirements 6.4.3 and 11.6.1 for client-side script integrity on e-commerce payment pages become mandatory from 31 March 2025. We offer tooling, monitoring and attestation for both.
How long does a full Level 1 assessment take?
Typical Level 1 assessment runs 4-8 weeks of active QSA time after remediation completes, plus a 2-3 week reporting window. Complex environments with large CDE footprints can stretch longer - scope drives the timeline.
Do you help with segmentation testing (requirement 11.4)?
Yes - our CREST-certified pen test team handles segmentation testing aligned to 11.4 as a bundled scope item, or as a standalone engagement. One vendor, one report, one set of evidence.
What happens if we fail an assessment?
We never submit an ROC we don't expect to pass. Gap assessments ahead of the formal engagement surface issues early. If issues emerge mid-assessment, we work with you and your acquirer on a remediation window - not a fail verdict.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.