Compliance · Vancouver, BC
PCI DSS Compliance for Vancouver and BC Businesses
Hexafusion delivers PCI DSS v4.0.1 compliance for Vancouver and Lower Mainland businesses that accept payment cards. Scope reduction first, then SAQ selection, then the controls and evidence work to get you to a passing attestation and keep you there.
Written by Alex Barari, founder of Hexafusion and a former PCI DSS Internal Security Assessor (ISA). The ISA credential is issued by the PCI Security Standards Council after formal training and a proctored exam, and authorises an individual to perform PCI DSS assessments on behalf of an organisation. The approach on this page comes directly from running real PCI programs from the inside.
Why most PCI DSS projects waste money
The most expensive mistake we see in Vancouver PCI work is the same one in every industry: a business agrees to fill out SAQ D (the catch-all 300-plus-question form) when a smaller SAQ would have applied if the environment had been redesigned first. The fix is almost always cheaper than the audit fatigue and ongoing evidence work that SAQ D produces year after year.
Our PCI engagements follow a deliberate sequence. Scope first, design second, controls third, attestation fourth. Reversing that order is how businesses end up in five-figure annual SAQ D programs when they could have qualified for SAQ A with a two-week change to their payment flow.
The nine SAQ types in plain language
The Self-Assessment Questionnaire (SAQ) is how non-RoC merchants attest to PCI DSS compliance. There are nine of them. Picking the right one is half of compliance work.
| SAQ | Applies to | Approximate question count |
|---|---|---|
| A | E-commerce or mail/telephone order merchants who have fully outsourced payment to a PCI-validated third party. Customer never enters card data on your domain. | ~30 |
| A-EP | E-commerce merchants whose website redirects to a payment processor but where the merchant server touches the iframe or controls how the payment page loads. | ~150 |
| B | Merchants who only use standalone dial-out terminals. | ~40 |
| B-IP | Merchants who use IP-connected payment terminals (Moneris, Helcim, Square hardware) on an isolated network with no other systems. | ~80 |
| C-VT | Merchants who use a web-based virtual terminal on a single dedicated computer with no other systems on that machine. | ~80 |
| C | Merchants with payment application systems connected to the internet but isolated from the rest of the corporate network. | ~160 |
| P2PE | Merchants using a PCI-validated point-to-point encryption solution. The terminal encrypts at the read head and your network never sees cardholder data in the clear. | ~30 |
| SPoC | Software-based PIN entry on commercial off-the-shelf devices with a validated PIN solution. | ~60 |
| D | The catch-all. Any merchant who does not fit a simpler SAQ. Also required for any service provider eligible for self-assessment. | ~330 |
Three SAQs (A, B, P2PE) take a handful of hours per year to maintain. SAQ D can easily absorb a full-time-equivalent month per year of evidence work. The scoping conversation is where that decision gets made.
Scope reduction patterns we use
Real examples of scope changes we have implemented for BC clients, anonymised:
Hosted iframe to full redirect
Move from an embedded payment iframe (SAQ A-EP, 150 questions, quarterly ASV scans on the web server) to a full redirect to the processor (SAQ A, 30 questions, no internal scans on the e-commerce server).
Validated P2PE terminals
Replace older IP-connected terminals with PCI-validated P2PE devices (Moneris Core, Helcim Smart Terminal, Square Terminal with P2PE attestation). Drops scope to SAQ P2PE: 30 questions and no network segmentation testing.
Tokenisation
Replace stored card numbers in your CRM or billing system with tokens from your processor. The processor stores the real card data. Your systems hold opaque tokens with no value to an attacker.
Network segmentation
Carve the cardholder data environment onto a dedicated VLAN with a hardware firewall. Verify isolation with documented segmentation testing. Reduces the number of systems in scope from 50+ to 3-5 in a typical retail case.
Phone payment redirection
For call centres and professional services that take cards by phone, route the cardholder through a DTMF masking service or an interactive voice response (IVR) flow so the agent never hears or sees the number. Drops the office network out of scope entirely.
Dedicated virtual terminal machine
If you must use a virtual terminal, dedicate one locked-down machine to it. No email, no browsing, no shared use. Drops you to SAQ C-VT instead of SAQ D.
The 12 PCI DSS v4.0.1 requirements at a glance
Every PCI program touches all 12 requirement families, even if many sub-requirements are not applicable for your SAQ. We map your environment to each requirement and produce evidence for the ones that apply.
| # | Requirement family | What it covers |
|---|---|---|
| 1 | Network security controls | Firewalls, segmentation, documented rules, regular review of inbound and outbound traffic. |
| 2 | Secure configuration | Vendor defaults changed, configuration standards documented, only necessary services running. |
| 3 | Protect stored account data | Minimise storage, encrypt what you must store, document retention and disposal. |
| 4 | Protect data in transit | TLS 1.2 or higher on any public network, strong cipher suites, certificate management. |
| 5 | Anti-malware | EDR or anti-malware on all systems in scope, signatures current, periodic scans, anti-phishing controls (new in v4.0.1). |
| 6 | Secure development and patching | Patch critical CVEs within 30 days, secure coding practices, code review, change control. |
| 7 | Restrict access by need to know | Role-based access, least privilege, documented access matrices, periodic recertification. |
| 8 | Identify users and authenticate | Unique IDs, password length 12+ (v4.0.1), multi-factor authentication on all access into the cardholder data environment. |
| 9 | Restrict physical access | Locked server rooms, badge logs, visitor sign-in, media disposal. |
| 10 | Logging and monitoring | All access to cardholder data logged, logs reviewed daily (or automated), log integrity protected. |
| 11 | Testing | Quarterly external ASV scans, internal vulnerability scans (authenticated as of v4.0.1), annual penetration testing, segmentation testing. |
| 12 | Information security policy | Written policy, risk assessment, security awareness training, incident response plan, vendor management program. |
What changed in v4.0.1 and what is mandatory now
PCI DSS v4.0.1 fully replaced v3.2.1 on March 31, 2024. Several new controls became future-dated and became mandatory on March 31, 2025. Anyone renewing on v3.2.1 today is no longer compliant. Key changes that matter for Vancouver SMBs:
- MFA everywhere into the cardholder data environment. Not just remote and admin. Every account, every entry point.
- Authenticated internal vulnerability scans. Internal scans must now log in to identify what an attacker with credentials would find.
- Password length 12+ characters on accounts in scope. Longer than the v3.2.1 minimum.
- Anti-phishing mechanisms. Email filtering, link rewriting, or equivalent. Documented and reviewed.
- Targeted risk analyses replace some of the fixed timeframes. You can justify a longer interval if the risk analysis supports it.
- Customised approach option. You can meet many controls with a documented alternative method if you can show the underlying risk is addressed and the assessor agrees.
- E-commerce script integrity. Any script loaded into the payment page must be inventoried, justified, and integrity-monitored. This is where most SAQ A-EP merchants currently fall short.
How we run a PCI engagement
Standard 5-phase program, scaled up or down depending on SAQ level:
- Scoping (week 1). Map every payment flow. Inventory every system that stores, processes, or transmits cardholder data. Identify the simplest SAQ that fits, or the changes that would get you to a simpler SAQ. Free 30-minute scoping conversation precedes any paid work.
- Gap assessment (weeks 2-3). Against the target SAQ, identify which requirements are met, which are partially met, and which are open. Written gap report with a remediation plan.
- Remediation (weeks 4-X). Close gaps in order: scope-reducing changes first, technical controls second, documentation third. Most SAQ A and SAQ B clients are remediated in 4-6 weeks. SAQ D programs run 4-9 months.
- Evidence and attestation. Collect evidence for every applicable sub-requirement, complete the SAQ, sign the Attestation of Compliance, submit to your acquirer.
- Quarterly and annual maintenance. ASV scans every quarter. Internal scans every quarter. Segmentation testing annually. Policy review annually. Annual re-attestation.
PCI DSS overlaps with PIPEDA and BC PIPA
If you handle payment cards in Canada you almost certainly also handle other personal information that falls under PIPEDA and BC's Personal Information Protection Act. The good news: most PCI DSS controls also satisfy the PIPEDA "Safeguards" principle and PIPA's "reasonable security arrangements" standard. We deliver the documentation in a way that maps cleanly to both frameworks at once, so you do not rebuild evidence twice.
Industries where we run PCI programs
Dental clinics
Payment terminals at front desk, often co-mingled with patient management software. Scope reduction via P2PE terminals is the standard play.
Medical clinics
PHIPA/PIPA overlay with PCI. We deliver both compliance packages from one assessment.
Law firms
Trust account payments and credit card retainers. DTMF masking on phone payments is common.
Accounting firms
Client payments for tax season. Hosted page redirects from the firm portal keep most firms in SAQ A.
Retail and hospitality
In-store terminals, e-commerce, and gift cards. Common path: validated P2PE for in-store, redirect for web, SAQ A or SAQ P2PE.
E-commerce
Stripe Checkout, Square Online, or Shopify Payments. We confirm the integration is a true redirect, not an embedded form, and lock in SAQ A.
What we deliver
- Written scoping report and SAQ selection recommendation.
- Gap assessment against PCI DSS v4.0.1 controls applicable to your SAQ.
- Remediation plan with priority order and effort estimates.
- Quarterly ASV scan coordination through one of the PCI Council validated vendors.
- Authenticated internal vulnerability scanning (managed by us).
- Annual segmentation testing with documented evidence.
- Information security policy template tuned to your industry, in plain English, ready to ratify.
- Incident response plan that satisfies requirement 12.10 and PIPEDA breach notification at the same time.
- Annual Self-Assessment Questionnaire completion and Attestation of Compliance.
- Vendor management register for all your service providers in scope.
- Evidence package ready for cyber insurance renewals.
FAQ
Who needs to comply with PCI DSS in Canada?
Any business that accepts, stores, transmits, or processes payment card data. Enforcement is contractual through your acquiring bank, not regulatory through a Canadian agency. Non-compliance exposure: fines from the acquirer, increased transaction fees, loss of processing rights, and full liability if a breach occurs while non-compliant.
Is v3.2.1 still acceptable?
No. v3.2.1 was fully retired on March 31, 2024. v4.0.1 is the only current version.
Do we need a QSA or can we self-assess?
Most BC SMBs (under 6 million card transactions per year per brand) qualify for self-assessment. A Qualified Security Assessor (QSA) is required for Level 1 merchants, certain service providers, and any merchant whose acquirer mandates a full Report on Compliance. Our engagement model supports both: we run self-assessment programs end to end, and we work alongside your chosen QSA during full RoC assessments.
How long does a PCI program take?
Depends on starting SAQ category. SAQ A merchants with hosted payment flows: 2-4 weeks. SAQ B-IP or SAQ P2PE merchants: 4-8 weeks. SAQ D merchants with internal cardholder data: 6-12 months of remediation before the first passing attestation.
Will Stripe, Square, or Moneris keep us PCI compliant on their own?
They handle their own compliance and absorb significant burden for you, but you still have a residual SAQ to complete. The lightest SAQ (A) is about 30 questions and still requires policies, training, vendor management, and incident response. The processor does not sign your attestation.
What is the role of an Internal Security Assessor (ISA)?
An ISA is an internal employee of an organisation who has been trained and certified by the PCI Security Standards Council to perform PCI DSS assessments for that organisation. The credential requires formal training, a proctored exam, and ongoing continuing education. Hexafusion founder Alex Barari held the ISA credential while working in a previous in-house role and brings that depth of program experience to client engagements.
What happens if we fail an ASV scan?
You have 90 days from the end of the quarter to produce a passing scan. Most failures are patchable within a week (missing browser cipher suite, old TLS version, missing security header, unpatched component). We coordinate the rescan with the ASV at no extra cost as part of our quarterly program.
Does cyber insurance care about PCI?
Yes, in two ways. First, many underwriters ask whether you accept cards and whether you are PCI DSS compliant. A "no" or "do not know" answer materially affects pricing. Second, in the event of a breach involving cardholder data, the insurance carrier will request your evidence of compliance at the time of incident. Card brand fines and forensic investigation costs (PFI engagement, around CA$30,000 to CA$80,000) are typically covered only if you can show you were compliant.
Book a PCI scoping call
30-minute conversation with a former PCI DSS Internal Security Assessor. We map your payment flows, identify the simplest SAQ that applies, and outline the scope reduction options. The call is free.
Book a PCI scoping callRelated compliance topics
Part of our broader compliance coverage for Vancouver and BC businesses.