Risk Management Consulting
 
 
Xcina Case Study

PCI DSS Assessment for Infrastructure Service Provider

Achieve and maintain PCI DSS compliance across multiple jurisdictions and operating models.

The Challenge

The Client faced a uniquely complex PCI landscape:

  • It operated as a Level 1 Service Provider in the UK, requiring a full annual Report on Compliance (RoC).
  • In mainland Europe, it functioned as a Level 2 Merchant, requiring a Self-Assessment Questionnaire (SAQ) and supporting documentation.
  • The cardholder data environment (CDE) spanned multiple regions and service offerings, making discovery and scope clarity essential.
  • Internal teams needed expert guidance to align control maturity across countries and prepare evidence for formal assessments.

To meet these requirements, the Client sought a Qualified Security Assessor Company (QSAC) that could provide end-to-end support, technical clarity, and continuity across the entire compliance lifecycle.

Methodology and Approach

Xcina was engaged as the Client’s chosen QSAC to deliver a structured and repeatable approach:

  1. Quarterly Continuous Improvement Assessments

We conducted ongoing assessments every quarter, providing:

  • Clear findings and prioritised recommendations
  • Continuous visibility into the Client’s compliance posture
  • Advice on evolving PCI DSS requirements and industry changes

This ensured the Client remained audit-ready throughout the year.

  1. UK Level 1 Service Provider – Full RoC Assessment

Xcina delivered:

  • A detailed findings report outlining remediation priorities
  • A full PCI DSS Report on Compliance (RoC)
  • A formally signed Attestation of Compliance (AoC)

These deliverables enabled the Client to demonstrate its service provider compliance to customers and partners.

  1. Netherlands & Europe – Level 2 Merchant SAQ

For the Client’s European operations, we provided:

  • A summary report of findings and recommended remediation
  • A QSA-validated PCI DSS SAQ with a countersigned AoC

This provided the necessary compliance proof for customers in the Netherlands and mainland Europe.

Results and Outcome

Through this structured, multi-region engagement, the Client achieved:

  • Clear definition and documentation of its CDE across the UK and Europe
  • Alignment of security controls across different operational models
  • Successful completion of both the RoC and SAQ assessments on schedule
  • A strengthened compliance programme supported by quarterly assessments
  • Increased customer confidence supported by QSA-validated deliverables

 

What This Means for You

Whether you operate as a Service Provider, Merchant, or both, Xcina delivers:

  • Multi-jurisdiction PCI DSS support
  • Continuous compliance monitoring
  • Expert guidance on complex, hybrid CDEs
  • High-quality RoC and SAQ validations
  • A long-term partnership, not just a point-in-time assessment

 

To find out more about how we can assist you, please refer to our PCI DSS Solutions and Services at https://xcinaconsulting.com/services/pci-dss-compliance/

 

 

 

 

Industry and sector:

Infrastructure & Facilities Management

Solutions and service area:

Xcina’s objective:

The client was a large infrastructure management provider operating in both the UK and mainland Europe. As part of a multi-year programme to enhance its security posture and meet contractual obligations to customers, the organisation needed to achieve and maintain PCI DSS compliance across multiple jurisdictions and operating models.

We’d love to hear from you

To discuss how the areas highlighted in this case study, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.

If you have any questions or comments, or if there’s anything you would like to see covered, please get in touch by emailing Xcina Consulting at info@xcinaconsulting.com. We’d love to hear from you.

Roger Greyling

Information Security Senior Consultant

Speak to me directly by Email, or
Telephone: +44 (0)2037 457 842

Roger Greyling

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>