Bangladesh E-commerce Platform Onboards Payment Gateway in 60 Days
A Dhaka-based e-commerce platform needed PCI DSS SAQ A-EP certification to onboard a Visa/Mastercard acquiring bank — EIC delivered in 60 days, unlocking improved interchange rates worth USD 180K annually.
Acquiring Bank Requiring PCI DSS Before Gateway Activation
A Dhaka-based e-commerce platform — processing domestic and cross-border transactions for over 3,000 merchants — had negotiated a new acquiring relationship with a regional bank offering improved interchange rates. The acquiring bank's onboarding requirements included a valid PCI DSS AOC before the gateway could be activated.
The platform redirected customers to a hosted payment page for card data entry — qualifying for SAQ A-EP rather than the more extensive SAQ D. However, the platform's management initially believed they needed SAQ D compliance, which would have required a significantly longer and more expensive engagement. Correctly identifying the applicable SAQ type was the first critical decision.
The 60-day onboarding window was fixed by the acquiring bank's quarterly onboarding cycle. Missing this window would delay gateway activation by 3 months — during which the platform would continue paying higher interchange rates under its existing acquiring arrangement. The financial impact of a 3-month delay was estimated at approximately USD 45,000 in additional interchange costs.
The platform had never completed a formal PCI DSS assessment. While the hosted payment page architecture was inherently scope-reducing, the platform still needed to demonstrate compliance with SAQ A-EP's 194 requirements — including vulnerability scanning, penetration testing, and security policy documentation that the platform had not previously maintained.
- Acquiring bank requiring valid AOC before gateway activation
- 60-day fixed window matching quarterly onboarding cycle
- 3,000+ merchants processing through the platform
- First formal PCI DSS assessment — no prior compliance documentation
- USD 180K annual revenue improvement from lower interchange rates
SAQ Type Clarification + Accelerated Assessment
EIC's first action was confirming the correct SAQ type — a decision that reduced the assessment scope from 286 requirements (SAQ D) to 194 (SAQ A-EP), saving weeks and significant cost.
SAQ Type & Scoping
CardIntel confirmed redirect-only payment flow — SAQ A-EP applicable (not SAQ D). SAQ A-EP has 194 requirements vs SAQ D's 286. Scoping document and remediation plan produced.
Remediation
Key gaps: missing ASV vulnerability scanning programme, incomplete network diagram, patch management policy formalisation. ASV scanning configured. External pen test completed.
SAQ A-EP Assessment
All 194 SAQ A-EP requirements assessed. Compensating controls documented for 2 requirements where technical implementation was not feasible within the 60-day window.
AOC & Activation
AOC issued. Submitted to acquiring bank. Gateway activated within the quarterly onboarding window. Lower interchange rates effective immediately.
SAQ A-EP vs SAQ D: A Decision Worth 92 Requirements
The most impactful decision in this engagement occurred in the first week. The platform's management had assumed SAQ D was required because their platform "handled payments." CardIntel's data flow analysis confirmed that the platform redirected customers to a hosted payment page operated by their payment service provider — the platform's servers never stored, processed, or transmitted cardholder data.
Under PCI DSS scoping rules, this redirect architecture qualifies for SAQ A-EP (Service Provider with Redirect), which has 194 requirements compared to SAQ D's 286. The 92-requirement difference translated directly into reduced assessment timeline, reduced remediation scope, and reduced cost. More critically, it made the 60-day window achievable — SAQ D at full scope would have required approximately 90–120 days.
The compensating controls documented for 2 SAQ A-EP requirements addressed situations where the platform's existing infrastructure could not be modified within the 60-day window without risking service disruption to the 3,000+ merchants on the platform. The compensating controls were documented per PCI DSS Appendix B guidelines and accepted by the QSA as providing equivalent security to the original requirements.
The gateway activation completed within the acquiring bank's quarterly onboarding cycle, with lower interchange rates taking effect immediately. The platform's Head of Payments calculated that the assessment cost was recovered within the first month of the new interchange rate structure — and the USD 180K annual benefit would compound as the platform's transaction volume continued to grow.
Measurable Outcomes
We thought PCI DSS would take six months. EIC confirmed we were SAQ A-EP, not SAQ D, which changed everything. The gateway activation paid back the entire assessment cost within the first month of lower interchange fees.