As a Qualified Security Assessor (QSA) company, EDGENETIC has been approved by the Security Standards Council (SSC) to measure an organisation’s compliance to PCI DSS standards.

EDGENETIC provides PCI Audit and PCI Certification services for organisations all around the world. EDGENETIC’s audits assess both service providers and merchants to help them maintain compliance year after year.

What Is a PCI DSS Assessment?

To demonstrate PCI DSS compliance to an acquiring bank or customers, organisations must undergo a formal PCI DSS assessment. Our QSAs are certified by the PCI Security Standards Council (SSC) to conduct on-site assessments and create a Report on Compliance (ROC). The ROC is a formal report created by the QSA that allows a merchant or service provider to demonstrate their compliance with PCI DSS standards.

The QSA will also create and sign an Attestation of Compliance (AOC). An ROC and AOC demonstrate a merchant’s compliance with their acquiring bank. For service providers, the AOC can be used to demonstrate compliance to customers and can provide a competitive edge.

The PCI DSS assessment, or audit, is delivered on-site by our QSAs. During the assessment, the QSA will work with your team to gather evidence that all applicable PCI DSS requirements are in place by following a detailed checklist. The QSA will interview employees, review documentation, and observe the systems and processes in action as part of their evidence-gathering process.


Who Needs An Assessment?

Requirements for demonstrating PCI DSS compliance will differ depending on how many transactions your organisation processes each year. Your transaction volume determines how you report your status.

Guidance from credit card brands and acquiring banks varies, but the table below provides some basic information. A EDGENETIC QSA will work with your organisation to confirm the precise reporting requirements for your organisation.

LevelCriteriaAssessment requirement

Any merchant that has suffered a hack or an attack that resulted in an Account Data Compromise (ADC) event

Any merchant having more than six million total combined transactions annually

Any merchant the card brand or acquiring bank determines should meet the Level 1 merchant requirements to minimise risk to the system

Annual on-site assessment by a QSA
 2Any merchant with more than one million but fewer than or equal to six million total combined transactions annually

Annual self-assessment questionnaire completed by a certified internal security assessor, or

Annual on-site assessment by a QSA

3Any merchant with 20,000 – 1 million e-commerce transactions annually but fewer than or equal to one million total combined e-commerce transactions annually

Annual self-assessment questionnaire, or

Annual on-site assessment by a QSA


Fewer than 20,000 e-commerce transactions annually, and fewer than 1 million overall transactions annually

Annual self-assessment questionnaire, or

Annual on-site assessment by a QSA


Get a free quote

LevelCriteriaAssessment requirement

Any service provider that stores, processes, and/or transmits more than 300,000 total combined transactions annually

All Third Party Processors (TPPs)

All Staged Digital Wallet Operators (SDWOs)

All Digital Activity Service Providers (DASPs)

All Token Service Providers (TSPs)

All 3-D Secure Service Providers (3-DSSPs)

Annual on-site assessment by a QSA

Any service provider that stores, processes, and/or transmits less than 300,000 total combined transactions annually

All Terminal Servicers (TSs)

Annual self-assessment questionnaire

What is Included in a PCI DSS Audit?

If your organisation pursues a PCI DSS Audit with EDGENETIC, you will gain access to many of the features which make us one of the most outstanding cyber experts in the field. There are different types of audits that an organisation can perform, each for different purposes and adhering to diverse standards.

On-site assessment and Report on Compliance (ROC)

Our QSA will come to your site to assess whether your organisation adheres to the audit guidelines. You will receive a detailed report outlining your compliance as well as deliver a signed Attestation of Compliance form if all conditions are met.

Validated self-assessment

Your organisation can benefit from both an on-site QSA review and a self-assessment questionnaire (SAQ). This is checked against the QSA review and countersigned if all requirements are met. The QSA will also sign an AOC for your organisation.


A self-assessment completed by the organisation is not validated by our QSAs. The organisation drafts an SAQ and AOC without external validation.

More Than Just a QSA

Our team of QSAs are more than auditors; they provide consultancy services to our clients in areas outside of PCI DSS. Why does this matter? PCI DSS might not be optional for your organization in Hong Kong, but it doesn’t need to become a roadblock. Because our QSA team consults across various disciplines alongside gathering evidence to complete a compliance report, your QSA will also note any opportunities for improvement that they observe.

We have a reputation for taking a pragmatic and realistic approach to PCI DSS audits, and our history of delivering PCI DSS assessments for some of the UK’s largest retailers and service providers means we have faced many of the challenges your organisation must overcome before. This means we understand many of the difficulties that an on-site assessment may present, and can help overcome these with you through good planning and professional delivery.

Frequently Asked Questions About PCI DSS Testing

Why trust EDGENETIC for PCI DSS Testing?

EDGENETIC is proudly accredited by CREST across all major disciplines. Our staff are all highly trained experts who continue to develop their technical skills with our encouragement. As a result, we have the highest qualifications in penetration testing, red teaming, incident response services, and threat intelligence. We have experience working within highly regulated industries such as the financial and healthcare sectors. These accreditations reflect our rigorous approach to cybersecurity. By choosing EDGENETIC, your organisation joins a global client base of businesses that have chosen to take their cyber health seriously.

What do the PCI DSS requirements include in Hong Kong?

The Payment Card Industry Data Security Standard (PCI DSS) in Hong Kong requires that merchants fulfil a few key criteria. These include having an effective firewall configuration, not overusing vendor-supplied defaults for passwords and other security parameters, protecting card-holder data through encryption, regular anti-virus software updates, and restricting physical access to cardholder data. These are a sample of the requirements which our QSAs will check in their audit.

What other services does EDGENETIC provide?

Alongside providing PCI DSS assessments to Hong Kong merchants, EDGENETIC offers other vital services Penetration Testing, Bug Bounty programmes, managed network and security services, and Incident Response assistance. We work with organisations all over the world to ensure that they are cyber secure and adhering to local and international cybersecurity regulations.

Frequently Asked Questions about Data Privacy Security

What is an incident response policy?

An Incident response plan or policy is a process you create before you experience a cyberattack. This is so that your team has a procedure to follow when you do experience a data breach. EDGENETIC follows the CREST Cybersecurity Incident Response process which is broken down into 3 phases: preparation, response, and follow up. Having a breach plan gives you the confidence to quickly nullify any threat to your data privacy security.

Why is data privacy security important?

Although it has always been important, the implications and need for higher security are coming into play now that technology is indispensable to everyday life. Using apps, browsing websites, and shopping online are all examples of how your data will be stored and managed online. For organisations today, the threat of cyber theft is a pertinent one. Having comprehensive data privacy plans in place can reduce and mitigate the risks of such events.

Does EDGENETIC practice sustainability?

As a company with a global footprint, sustainability is an area of importance to us. We are a registered ‘Investor in People’ organisation. Taking a cue from ISO 14001, we have strong sustainability practices put in place. Our organisation also hires fairly and equally, across gender and race. By working with us, you can rest assured that we implement data privacy security measures with ethics at the core of our mission.

Get in touch via the form below and get a free quote from us for our Red Team Security Testing services.