PCI DSS Compliance Enablement for a Fintech Organization

A fintech organization required alignment with multiple PCI DSS requirements to continue providing secure payment services to its customers. With only four weeks before their existing MSSP contract ended, they needed expert compliance guidance — fast.

Background

The organization was working with a Managed Security Service Provider (MSSP) that handled infrastructure monitoring. Following a migration of their environment to AWS, the client continued with the same MSSP — but the quality of service began to decline. Communication gaps, delayed responses, and lack of clarity around compliance responsibilities led to increasing frustration.

As PCI DSS compliance timelines approached, the client realized they needed expert compliance guidance rather than managed monitoring services. Their key objective was to ensure PCI DSS alignment while retaining full flexibility over their infrastructure and tooling. With only four weeks before the MSSP contract ended, they approached SecComply.

Client Environment

The client's AWS-hosted infrastructure consisted of:

• 2 × Windows Server 2019 virtual machines
• 2 × Debian Linux virtual machines
• Active Directory server
• AWS CloudTrail
• pfSense firewall
• Microsoft Defender and ClamAV antivirus

The environment required structured logging, audit readiness, and documented security controls to meet PCI DSS obligations.

SecComply's Approach

SecComply engaged as a security and compliance consulting partner, focusing on PCI DSS requirement mapping, security control assessment, logging and monitoring design, compliance documentation support, and validation of technical controls.

Phase 1: Discovery & Assessment

SecComply conducted a structured discovery session to understand business operations, administrative and privileged access, expected user behavior, third-party dependencies, current logging and monitoring practices, and existing security policies. This built a clear picture of the client's risk posture and identified compliance gaps.

Phase 2: PCI DSS Gap Analysis — Requirement 10 (Logging & Monitoring)

SecComply reviewed the client's logging architecture to ensure compliance with centralized log collection, retention of audit logs, and traceability of user and system actions. Special focus was given to Requirement 10.7:

• Minimum 90 days of immediately available logs
• At least 12 months of log retention for audit purposes

Phase 2 (cont.): Requirement 11 — Security Testing & Change Monitoring

SecComply reviewed vulnerability management and change detection processes, validated quarterly scan coverage, ensured scan results were documented, and guided the client on implementing:

• File Integrity Monitoring (FIM)
• Change detection for critical system files
• Alert review and documentation processes

These controls were designed to meet PCI DSS requirements without overengineering the environment.

Implementation Support & Validation

Rather than managing tools directly, SecComply worked alongside the client to review SIEM and log management configurations, validate alert logic and logging coverage, ensure documentation aligned with PCI DSS expectations, prepare evidence required for audits, and define roles and responsibilities for incident handling. This ensured the client retained full ownership of their environment while remaining compliant.

Results

• ✅ Successfully transitioned away from the previous MSSP
• ✅ Achieved PCI DSS-aligned logging and monitoring
• ✅ Implemented structured vulnerability management
• ✅ Improved visibility across cloud and server environments
• ✅ Prepared audit-ready documentation

Within the first month, over 25 million log events were validated for compliance coverage, change monitoring controls were confirmed operational, and compliance gaps were closed without disrupting operations.

Client Feedback

The client highlighted SecComply's clear and practical guidance, strong understanding of PCI DSS requirements, ability to translate compliance into actionable steps, and vendor-neutral consulting approach. They confirmed their intent to continue working with SecComply as they move toward PCI DSS v4 compliance.