Governance. Risk. Compliance. Cybersecurity.
MAST Consulting Group - Governance, Risk, Compliance and Cybersecurity Logo
Timeline

Timeline — PCI DSS v4.0 Compliance

A realistic week-by-week view of how PCI DSS v4.0 Compliance runs. Timelines compress for smaller scopes and extend for multi-entity or multi-site programmes; this baseline assumes a mid-size enterprise.

  • ISO/IEC 27001 Certified
  • ISO/IEC 27701 Certified
  • ISO 9001 Certified

Delivered by an ISO/IEC 27001, 27701 & 9001 certified organisation

Week-by-week plan

WeekPhaseKey activitiesOutput
Weeks 1–2Scoping & CDE MappingIdentify all systems that store, process or transmit cardholder data.Signed-off scoping & cde mapping pack and gate review
Weeks 3–4Gap AnalysisDetailed assessment against all 12 PCI DSS v4.0 requirements.Signed-off gap analysis pack and gate review
Weeks 5–6RemediationTechnical and process fixes, segmentation, key management.Signed-off remediation pack and gate review
Weeks 7–8ValidationPenetration testing, ASV scans, internal audit.Signed-off validation pack and gate review
Weeks 9–12RoC / SAQReport on Compliance or Self-Assessment Questionnaire support.Signed-off roc / saq pack and gate review
12-week delivery plan

Gantt-style timeline titled "12-week delivery plan" over 12 Weeks with 5 phases: Scoping & CDE Mapping from Week 1 to 2; Gap Analysis from Week 3 to 4; Remediation from Week 5 to 6; Validation from Week 7 to 8; RoC / SAQ from Week 9 to 12.

Scoping & CDE Mapping
Signed-off scoping & cde mapping pack and gate review
Gap Analysis
Signed-off gap analysis pack and gate review
Remediation
Signed-off remediation pack and gate review
Validation
Signed-off validation pack and gate review
RoC / SAQ
Signed-off roc / saq pack and gate review

What accelerates the timeline

  • Executive sponsor engaged from day one with weekly steering attendance.
  • Existing asset inventory, network diagrams and HR org chart available.
  • GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).
  • Workforce available for awareness training within the engagement window.
Conditions that compress delivery

Checklist titled "Conditions that compress delivery" with 4 items, every item marked complete: Executive sponsor engaged from day one with weekly steering attendance.; Existing asset inventory, network diagrams and HR org chart available.; GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).; Workforce available for awareness training within the engagement window..

  • Executive sponsor engaged from day one with weekly steering attendance.
  • Existing asset inventory, network diagrams and HR org chart available.
  • GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).
  • Workforce available for awareness training within the engagement window.

What typically extends it

  • Multiple legal entities, brands or geographies in scope.
  • Significant cloud migration running in parallel.
  • Open audit findings or regulator enforcement requiring remediation first.
  • Mergers, divestitures or system replacements mid-engagement.
Next: Pricing & Engagement