How we work
If you are running (or expanding) a payments business in Latin America, compliance is the license that lets you keep transacting in the region. Before you sign with anyone, you deserve to know exactly what happens, who does what, and how long it takes. This page answers, without the runaround, the questions buyers actually ask.
How does a project start?
It starts with a 30-minute conversation. You tell us your scope, timeline and constraints; we tell you frankly whether we are the right provider for your case. If we are going to touch sensitive information, we sign a mutual NDA before you share anything. From there we move to a gap analysis that defines the real starting point, not the one assumed in a generic proposal.
What do I need ready before we start?
Nothing you have to "prepare." We start from wherever you are today, whether or not prior documentation exists. What we do need from your side is concrete:
- Access to your technical environments, or the equivalent technical information. Without it there is no way to assess your compliance, and we do not guess.
- Access to the people who own each process.
- A counterpart to coordinate decisions as we go.
The work of building, organizing and documenting is ours. One useful note: the more technical information you share up front, the tighter the scope and the faster (and cheaper) we move; if we have to discover and scan everything from scratch, the effort and the timeline grow.
What do we do, and what do you do?
The split is clear, and we put it in writing from the start. In one line: we carry compliance so you can carry your business.
| What we take on | What you provide |
|---|---|
| Design, document and keep the management system running, with PCI DSS, ISO 27001 and data protection integrated into one. | Access to your environments and to the people who own each process. |
| Audit it internally with the same rigor as the certifier and close the gaps. | The decisions that belong to your business. |
| Represent you before the external auditor and drive the remediations up to the certificate. | Keep running your business, without becoming an expert in the standards. |
What are the phases of the project?
Four phases, each with a concrete, verifiable outcome. It doesn't have to be the full package: you can contract a single phase (for example, just the gap analysis or just the internal audit) or the complete project from start to finish.
- Gap analysis and scope. We define what falls within scope and measure the distance between where you are and what each standard requires. Deliverable: a gap analysis report.
- Design and implementation. We build the management system (policies, processes, controls and evidence) integrating the three standards into one. Outcome: the system running in your day-to-day, documentation included.
- Monitoring and internal audit. We keep the system live and assess it with the same rigor as the certifier, closing gaps before the real audit. Outcome: you reach the audit with no surprises.
- External audit. We represent you before the auditor or QSA and defend each observation until it is closed. Outcome: you finish with your system fully supported and your operations intact.
How long does certification take?
It depends on your starting point and the standard, and we will not sell you a generic number. As a guide, a first implementation from scratch usually takes between 9 and 12 months depending on the standard; a recertification is an annual cycle; a migration between versions is shorter. The firm schedule comes out of the gap analysis, with dates we commit to in writing.
How is pricing structured?
We quote per phase or for the full project, always with a specific price set out in writing after the gap analysis, because that is when the real scope becomes clear. The amount depends on the size of your operation, the standards involved and how much technical information you share with us up front, since the more you provide, the narrower the scope and the lower the cost. We do not sell loose hours.
What happens if the auditor finds non-conformities?
We analyze them with you and help you resolve them, defining the remediation plan, working alongside your team as it fixes each issue and defending the closure before the auditor or QSA, and since we have already audited your system with the certifier’s own rigor, the gaps are detected and closed before that stage.
Do you certify me yourselves?
No, and that is deliberate. We prepare and defend your system; the certificate is issued by an independent certification body or QSA. We never audit our own work as though we were that third party. It is the foundation of our independence, and we explain it in detail in Independence and conflict-of-interest management.
Can you handle compliance across several Latin American countries?
Yes. PCI DSS and ISO 27001 are international standards: the management system is the same whether you operate in Peru, Chile, Colombia or anywhere else in the region. What changes is the data-protection layer, which we adapt to each country's law. We have sustained payment operations across several countries at once, so you deal with one team instead of one consultant per border.
Ready to talk?
If your case fits this, tell us about it in a first 30-minute conversation. And if we are not the right provider for you, we will say so on that same call.