E-Commerce Platform Accelerates PCI DSS Re-Certification by 60%
Processing $2B in annual transactions, a high-growth retailer used AssureIQ to compress its compliance cycle while simultaneously onboarding two new payment processors.
The Challenge
CartNova (name anonymized) is a marketplace platform processing $2B in annual GMV across three countries. As a Level 1 PCI DSS merchant, they undergo an annual Report on Compliance (RoC) audit with a Qualified Security Assessor. With two new payment processors being onboarded simultaneously and a go-live deadline locked to peak shopping season, the compliance team was under unprecedented pressure.
The existing approach involved six compliance analysts maintaining separate control trackers in Excel, coordinating evidence collection via email, and holding bi-weekly status meetings to reconcile gaps. The prior year's RoC had taken 18 weeks from kickoff to final report. With the new processor onboarding adding scope complexity, that timeline was at risk of extending further — pushing the re-certification past the contractual deadline with their primary acquiring bank.
Leadership needed the re-certification cycle compressed to under 10 weeks without adding headcount, while simultaneously managing the scope changes introduced by the two new processors.
The Approach
DEKA deployed AssureIQ under the Assurance tier. The implementation began with a scope mapping exercise that documented the Cardholder Data Environment (CDE) boundaries for all three payment processor configurations, establishing the control baseline for the RoC.
All 12 PCI DSS requirements were loaded into AssureIQ with evidence items, control descriptions, and responsible owners assigned within the first two weeks. The six compliance analysts were onboarded to the platform's workflow, replacing the Excel-email-meeting cycle with a single source of truth and automated evidence freshness alerts.
When the QSA began their assessment in week five, CartNova was able to provide a structured evidence package directly from AssureIQ — pre-sorted by requirement and annotated with ownership details. The QSA described it as "the most field-ready evidence package" they had encountered in an e-commerce audit of comparable scope.
The Results
The RoC completed in 7 weeks from kickoff — versus 18 weeks the prior year. Both new payment processors were onboarded within the same cycle, with their CDE scoping documented in AssureIQ alongside the primary certification tracks. The acquiring bank deadline was met with three weeks to spare.
"We cut our certification cycle from 18 weeks to 7. The QSA said it was the cleanest evidence package they'd seen. We walked in prepared instead of scrambling."
— VP of Security, CartNova
18 → 7 weeks
Certification cycle time
2 processors
Onboarded same cycle
3 weeks early
Ahead of acquiring bank deadline
Zero QSA exceptions
Evidence-related findings
Compress your next compliance cycle
Start a 12-day trial and see how AssureIQ transforms your audit preparation workflow.