We're not your typical buttoned-up consultancy. We're a band of lawyers and engineers who navigate PCI DSS so you don't lose sleep over it.
GMT.band has been operating since 2024, formed by people who got tired of watching compliance become a box-ticking nightmare. We merged legal precision with engineering depth to build something different — a lean crew that gets merchants from "where do I even start" to fully certified without the jargon overload.
Every person on our team holds either a legal qualification or a technical security certification — most hold both. We work under PCI DSS v4.0.1 standards and keep pace with every council update so our clients are never caught off guard.
We don't do "one-size-fits-all." We scope your cardholder data environment, identify the shortest compliant path, and execute — fast, transparent, no hidden fees.
External vulnerability scanning of your internet-facing infrastructure, performed by Clone Systems, Inc. — a PCI SSC Approved Scanning Vendor. All scan reports and attestations are issued under Clone Systems' ASV certification.
The shortest path to PCI validation for card-not-present merchants. We assess your eligibility, fill in the 24-requirement questionnaire, and prepare it for submission.
The formal, signed declaration your acquirer and partners actually ask for. We prepare your AOC on official PCI SSC templates — scoped, dated, and legally sound.
The full policy and procedure stack that PCI DSS requires — written by lawyers, reviewed by engineers. Not templates. Bespoke documents tailored to your environment.
The tangible proof of your PCI DSS compliance — issued after a successful assessment. Valid for 12 months and recognized by card brands, acquirers, and partners.
Don't know where you stand? We audit your current security posture against PCI DSS v4.0.1, identify every gap, and build a prioritized remediation roadmap.
We map your cardholder data environment, identify which SAQ type applies, and define the exact boundary of your assessment.
External ASV scans run against your infrastructure. We complete the relevant SAQ, document findings, and flag any gaps.
If issues surface, we guide fixes and rescan. Simultaneously, your full documentation suite is drafted and reviewed.
AOC is signed, compliance certificate is issued, and all deliverables are packaged for your acquirer. You're live.
PCI DSS (Payment Card Industry Data Security Standard) is a global security standard required for any business that accepts, processes, stores, or transmits credit card data. If you take card payments — yes, you need it.
SAQ A is the simplest form — for merchants who fully outsource payment processing to PCI-compliant third parties (like Stripe or PayPal). Your systems never touch cardholder data. Other SAQ types (B, C, D) cover increasingly complex environments.
An ASV (Approved Scanning Vendor) scan is an automated external vulnerability check of your internet-facing systems. PCI DSS requires these quarterly — four times a year — plus after any significant network changes.
The AOC (Attestation of Compliance) is a formal signed document proving your PCI compliance. Banks and acquirers request it because it confirms your status without exposing your internal security details.
Part 3a (Merchant Executive Officer) must be signed by the director, CEO, or an authorized representative of the merchant company. This is a mandatory requirement — the signature confirms the merchant's acknowledgment of their compliance status.
The full compliance process — from initial scoping to signed certificate — typically takes 3–8 weeks depending on your environment complexity and remediation needs.
Certificates and AOCs are valid for 12 months from the assessment date. Quarterly ASV scans must continue throughout the year. We handle renewal reminders so you never lapse.