PCI DSS v4.0.1 · Readiness assessment
The standard has 250 controls. Almost nobody has to meet all of them — but until someone tells you which ones you can rule out, and why, you're guessing at the size of your own problem.
InitialEyes gives you the first look: a scoped, evidence-backed picture of where you stand, what's actually broken, and the order to fix it in. Fixed fee, one week.
Tell it about your business
Nothing selected — assume everything applies. Switch on what's true of you.
The engagement
STEP 01
We establish what's actually in your cardholder data environment — and put in writing which controls don't apply to you, with the reason for each exclusion. An unexplained "not applicable" is the first thing an assessor will challenge.
STEP 02
We review your environment against every control that remains: configuration, access, logging, encryption, policy. Passive review by default. Anything active happens only with your written authorization.
STEP 03
You get a readiness score, every gap ranked by severity, and a phased remediation plan your team can execute against. Written to be handed to a board, an acquirer, or an engineer — not to impress you with jargon.
The deliverable
A single PDF. No portal to log into, no seat licence, no upsell.
Straight answer
If you're a small merchant who has fully outsourced payments to a hosted gateway and never touches a card number, your obligation may be a short self-assessment questionnaire you can complete yourself in an afternoon. We'll tell you that for free, and we'll tell you which SAQ it is.
Where we earn our fee is the messy middle: you take payments online, you've got some AWS infrastructure that grew organically, nobody's certain whether card data has ended up in a log or a spreadsheet, and your acquirer is now asking questions. That's the problem worth paying to have looked at properly.