Emerging threats

We support organisations striving to build a trustworthy, safe online environment where users can engage authentically in their communities.
Commercial organisationsWe support commercial organisations operating in a digital world, seeking to protect their reputation and prevent business disruption caused by cyber attacks and compliance breaches.
International programmes and developmentWe support international government organisations and NGOs working to provide infrastructure or improve the capabilities, security and resilience of their nation.
UK government and public sectorWe support UK government organisations responsible for safeguarding critical infrastructure, preserving public trust, and maintaining national security.



Retail businesses are good at implementing things like new technology and payment channels. What often goes unnoticed is the compliance and operational overhead that accumulates around them, building quietly in the background, year after year, and lingering long after the technology itself has been replaced.
We frequently see retail clients burdened by PCI DSS compliance scopes that are 40%, even up to 50%, larger than required. So, the question worth asking is whether your compliance engagements identify opportunities to reduce scope and simplify compliance.
The structural reasons are specific to retail in a way that don't apply to most other industries, making the sector particularly vulnerable to scope creep.
Every payment channel a retailer adds (click-and-collect, a new mobile app, self-checkout) introduces systems into their Cardholder Data Environment. That's expected and unavoidable. What's less expected is that those systems almost never leave scope. The channel gets built, the scope expands to include it, and from that point on, it becomes part of the annual renewal – and often nobody questions whether it still needs to be there.
Legacy POS infrastructure compounds this. Many mid-market retailers are running point-of-sale systems that are a decade old, sitting on flat networks where poor segmentation means that systems with no operational relationship to payment data end up in scope simply because of how the network is laid out. The PCI SSC is explicit on this point: assume everything is in scope until verified otherwise. In a flat network, that assumption is expensive.
Third-party vendors extend the problem further. Every integration that touches or could affect the CDE (Payment gateways, IT support providers, cloud platforms, loyalty programme vendors) pulls additional compliance obligations into the merchant's programme. Many retailers haven't formally reviewed these relationships since the integrations were first stood up – a missed opportunity to cut compliance costs.
Then there's the seasonal dimension unique to retail. Peak trading brings temporary terminals, additional payment channels, third-party staffing with system access. It gets stood up quickly. It rarely gets formally decommissioned from a CDE perspective once the season ends.
The result is a compliance programme that accumulates year on year.
There’s part of this conversation that the industry tends to overlook simply because of how compliance engagements are typically set up.
Annual PCI programmes are usually scoped once, at the start of a supplier relationship, and renewed on that basis each year. The assessment cycle runs, the controls get tested, the report gets issued, and the same scope becomes the baseline for the following year. It's a reasonable model for maintaining compliance, but not one that naturally surfaces opportunities to reduce it.
The result, in practice, is a lot of "see you next year, same as before"—programmes that get automatically renewed rather than challenged. Often, a reassessment isn’t built into the process, and most clients don't know to ask for it.
As a retailer's security posture matures—implementing better controls, tooling and automation—its compliance footprint should reflect that. A business that has invested seriously in modern payment infrastructure should be carrying less compliance overhead than it was five years ago, not more. Good consultancy, delivered over time, should make a programme leaner and more focused, not just maintain what was originally built.
The question for any retailer in a long-standing compliance relationship is a simple one: is your engagement structured to cut unnecessary costs, or just to renew what's already there?
The clearest illustration in PCI is the difference between SAQ A and SAQ A-EP: The two self-assessment questionnaire types most relevant to ecommerce merchants.
An ecommerce retailer on SAQ A-EP is subject to approximately 150 controls. The same retailer, if their payment page is fully hosted by a PCI-compliant third party with no scripts executing in the consumer's browser that they control, may qualify for SAQ A, which carries just 27 controls. That’s a significant change in compliance burden, internal resource requirement and ongoing costs.
Moving between those two isn't always straightforward, but it is often possible, and it is frequently the kind of work that isn’t considered when the annual engagement is built around maintaining the status quo rather than challenging it.
Telephone payments are another common example. Many retailers continue to support legacy telephone payment processes for a channel that represents only a small fraction of transaction volume. The result can be a PCI scope aligned to SAQ C (approximately 130 controls) or SAQ C-VT (around 50 controls). In contrast, a well-designed DTMF masking solution can reduce the environment to SAQ A, with as few as 27 controls. Yet many organisations continue to carry the larger scope simply because the payment channel was designed years ago and has never been reassessed.
The transition to PCI DSS v4.0.1 (now fully mandatory) introduced a formal annual scope validation requirement (Requirement 12.5.2). Organisations must now document and confirm their scope every year, or whenever there is a significant change to their environment.
That requirement is either a bureaucratic box-tick or a genuine opportunity depending entirely on whether it's treated as a real challenge to what's in scope or simply a renewal of last year's answers. Retailers who use the v4.0.1 transition as a reason to ask the hard questions will come out of it materially better off, both operationally and financially. Those who don't will keep maintaining a programme that was scoped for an outdated version of their business.
Where to start
If your organisation hasn't formally challenged its PCI scope in the last 12 months, a few questions are worth raising with your assessor:
These are questions that aren’t typically considered in the process unless someone specifically raises them. That's why who you choose as your assessor matters more than it might appear. The technical work of a PCI assessment is broadly consistent across qualified providers. What varies is whether your assessor arrives each year with the intent to maintain your programme or to actively improve it.
At PGI, challenging scope is built into how we approach every engagement, not something clients have to ask for. We think a compliance programme should get leaner and more focused as a business matures, and that a good assessor should be willing to tell you when you can remove unnecessary costs.
If you'd like an independent view of where your current PCI scope sits, or you're simply not sure when it was last formally challenged, get in touch with us.

The Ministry of Defence (MoD) recently requested that all industry partners must achieve at least DCC Level 0 by the end of 2026.

The Defence Cyber Certification (DCC) scheme runs from Level 0 up to Level 3, but the most significant step is the one between 0 and 1.

Many organisations invest heavily in ISO 27001 and PCI DSS year after year — but few realise they may be paying for a scope that is larger, more complex, and more expensive than necessary.