This project reflects the type of work I support in real-world engagements. The documentation uses synthetic data; no client information is reproduced, and the templates are either self-developed or sourced from open-source resources.
Supported a PCI DSS gap assessment for an e-commerce merchant processing approximately 50,000 annual transactions through a fully outsourced payment model via Paystack. Because customers are redirected to Paystack's PCI‑validated environment, Ikigai's internal systems never store, process, or transmit cardholder data, qualifying them for SAQ A.
Accordingly, this assessment focused exclusively on the two SAQ A requirements that apply to Ikigai's corporate systems: Requirement 8 (Access Control) and Requirement 10 (Logging & Monitoring), evaluating these controls against PCI DSS v4.0.1 to determine readiness for SAQ A submission and validate the outsourced payment model.
-
Administered a structured PCI DSS Scoping Questions Checklist to confirm SAQ A eligibility, map data flows, and identify in-scope systems based on the fully outsourced payment model.
-
Generated a comprehensive Pre-QSA Readiness Evidence Pack to map existing controls against PCI DSS requirements and track evidence collection across policies, technical configurations, and vendor documentation.
-
Performed evidence-based testing documented in the PCI DSS Gap Assessment Report , including Google Workspace configuration reviews, admin panel security analysis, service account inventory, and log retention verification.
-
Inactive User Accounts (High): Two former staff accounts remained active with no formal offboarding process. Recommendation: Implement quarterly access reviews and disable accounts within 24 hours of termination.
-
Log Tampering Risk (High): Admin logs stored on the same server as admin users, who could modify logs; no tamper monitoring in place. Recommendation: Segregate logs to separate storage with append-only permissions and implement file integrity monitoring.
-
Missing MFA (Medium): Admin dashboard accessed via username/password only, with no multi-factor authentication. Recommendation: Implement MFA for all administrative access using Google Authenticator plugin.
-
Insufficient Log Retention (Medium): Admin panel logs retained for only 30 days, falling short of PCI DSS 90-day minimum. Recommendation: Increase retention to 90 days and implement 12-month archiving solution.
-
Hardcoded Service Account Password (Low): Database connection used embedded credentials in config files with no rotation schedule. Recommendation: Move credentials to environment variables and implement quarterly rotation.
The assessment confirmed Ikigai's low-risk profile due to its fully outsourced payment model (SAQ A), with no cardholder data touching internal systems. However, foundational security gaps—particularly around access reviews, log protection, and MFA coverage—presented moderate risk to corporate systems supporting e-commerce operations. The findings reinforced that even in reduced-scope environments, basic access and logging controls require formalisation.