As PCI DSS 4.0.1 entered full enforcement, QNB Group faced the complex challenge of managing compliance across thousands of diverse merchants and sub-Payment Facilitators (sub-PFs).
By partnering with Onlayer, QNB successfully centralized its multi-country compliance operations, automated the document lifecycle, closed the critical e-skimming protection gap addressed by Requirements 6.4.3 and 11.6.1, and harmonized card scheme mandates with strict national data protection laws across multiple jurisdictions.
The Challenge
Operating an acquiring portfolio across multiple countries meant QNB had to navigate compounding pressures simultaneously.
1. The strict mandates of PCI DSS 4.0.1
The transition to version 4.0.1 the active standard since June 2024, with future-dated requirements that became mandatory on 31 March 2025, expanded the acquirer's direct accountability. QNB needed a foolproof method to ensure merchants were using the correct Self-Assessment Questionnaires (SAQs), manage quarterly Approved Scanning Vendor (ASV) cycles, and oversee sub-PFs along with their aggregated sub-merchants.
2. The e-skimming threat (Requirements 6.4.3 and 11.6.1)
The standard now requires continuous detection of injected scripts and tampered checkouts in the consumer browser. Most e-commerce merchants lacked the technical capability to implement client-side script inventory, integrity checking, and tamper detection on their own, leaving QNB exposed to severe, uncapped card network fines — including Visa's GMAP and Mastercard's SDP programs — if a breach occurred.
3. A fragmented regulatory landscape
As a multi-regional powerhouse, a single data incident in QNB's portfolio could trigger overlapping penalties from several authorities at once — including CBUAE Notice 3057 in the UAE, SAMA in Saudi Arabia, KVKK in Türkiye, and GDPR in the EU — each with its own reporting expectations and timelines.
The Solution
QNB Group deployed Onlayer's Merchant PCI DSS Management Module and Malware & E-Skimming Module across its regional hubs to create a single, continuous source of truth for the entire merchant portfolio, replacing fragmented document trails with a connected platform purpose-built for acquirers.
1. Automating the document lifecycle and sub-PF oversight
-
Intelligent SAQ classification: QNB eliminated the single most common portfolio failure — misclassification (for example, merchants filing SAQ A when SAQ A-EP was required). Onlayer's PCI Wizard guides each merchant to the correct form through automated question-and-answer logic.
-
Centralized multi-channel intake: Instead of managing documents scattered across emails, sales portals, and faxes, QNB consolidated all SAQs, AoCs and ASV reports into one global dashboard, with validity tracking and proactive renewal reminders.
-
Sub-PF visibility: Onlayer enables QNB to maintain a digital, read-only sub-merchant register and automatically alerts the bank the moment an aggregated sub-merchant crosses the transaction-volume thresholds that require elevation to direct merchant status.
2. Eliminating the Mage-cart risk (Requirements 6.4.3 and 11.6.1)
-
Continuous payment-page scanning inventories and authorizes every script running on each merchant checkout, satisfying the authorization, integrity and justification controls of Requirement 6.4.3.
-
Behavioural detection flags unauthorized third-party code modifications, malicious formjacking, and obfuscated payloads in near real time — fulfilling the change-detection and HTTP-header integrity mandates of Requirement 11.6.1.
-
Zero merchant code deployment: Protection is delivered without requiring QNB merchants to integrate SDKs or modify their checkout code — a decisive advantage at portfolio scale.
3. Multi-regional and jurisdiction-aware audit readiness
-
Tamper-resistant evidence logs are time-stamped and exportable on demand, replacing the audit-season scramble with a continuously maintained evidence base.
-
Jurisdictional alignment: Onlayer's reporting layer formats compliance evidence to satisfy card scheme rules and local regulations simultaneously, including SAMA, CBUAE, KVKK and GDPR.
-
Unified governance: Regional compliance teams operate inside the same platform, with role-based visibility — preserving local accountability while giving group-level governance a complete portfolio view.
Full PCI DSS 4.0.1 Coverage Map
PCI DSS 4.0.1 retains the twelve principal requirements introduced in version 4.0 and clarifies how they apply to merchants and third-party providers. The table below summarizes how Onlayer's platform supports QNB across the full set.
|
# |
PCI DSS 4.0.1 Requirement |
How Onlayer Supports QNB |
|---|---|---|
|
1 |
Install & Maintain Network Security Controls |
Onlayer's hosted multi-tenant infrastructure is deployed behind hardened perimeter controls so QNB merchants benefit from network segmentation without integration overhead. |
|
2 |
Apply Secure Configurations to All System Components |
Default-deny script policies and approved-source allow-lists ensure that every component on a merchant payment page runs only an inventoried, justified configuration. |
|
3 |
Protect Stored Account Data |
Onlayer's modules sit outside the cardholder data environment, removing PAN handling from QNB merchant workflows and limiting storage exposure. |
|
4 |
Protect Cardholder Data with Strong Cryptography During Transmission |
Continuous TLS/HTTPS monitoring on merchant payment pages detects insecure transmission, certificate anomalies, and downgrade attempts. |
|
5 |
Protect All Systems and Networks from Malicious Software |
The Malware & E-Skimming module fingerprints malicious scripts, skimmer families, and obfuscated payloads on QNB merchants' checkouts in near real time. |
|
6 |
Develop and Maintain Secure Systems and Software (incl. 6.4.3) |
Onlayer enforces Requirement 6.4.3 by maintaining an authorized inventory of every script loaded in the consumer browser, with written justification and integrity validation. |
|
7 |
Restrict Access to System Components and Cardholder Data by Business Need-to-Know |
Role-based access controls and a centralized dashboard let QNB compliance teams scope visibility per region, per acquirer entity, and per merchant cohort. |
|
8 |
Identify Users and Authenticate Access to System Components |
MFA-protected portal access, audit trails for every reviewer action, and SSO compatibility ensure traceability across QNB's multi-country compliance staff. |
|
9 |
Restrict Physical Access to Cardholder Data |
By design, Onlayer removes the need for QNB merchants to retain physical card data artifacts inside their environment, narrowing the in-scope physical footprint. |
|
10 |
Log and Monitor All Access to System Components and Cardholder Data |
Time-stamped, tamper-resistant evidence logs capture every SAQ submission, ASV report, and script-change alert — exportable on demand for audit. |
|
11 |
Test Security of Systems and Networks Regularly (incl. 11.6.1) |
Onlayer fulfils Requirement 11.6.1 with continuous detection of unauthorized changes to HTTP headers and payment page content, alerting QNB the moment tampering is observed. |
|
12 |
Support Information Security with Organizational Policies and Programs |
Centralized policy attestations, sub-PF registers, and renewal workflows turn ad-hoc compliance gathering into a documented, continuously governed program. |
This portfolio-level coverage is what allows QNB to treat PCI DSS 4.0.1 not as an annual project but as a continuously governed operating model.
The Results
By integrating Onlayer into its active acquiring ecosystem, QNB transformed seasonal, ad-hoc document gathering into a continuous, audit-ready asset and gained measurable operational efficiency.
Efficiency and total portfolio security
-
85% increase in completed submissions: Automated validity tracking and proactive renewal reminders drove merchant compliance up across the entire portfolio.
-
Zero technical burden on merchants: QNB provides merchants with automated client-side protection against e-skimming without requiring complex code deployments on the merchant side.
-
Unified regional governance: QNB's compliance headquarters gained a bird's-eye view of its multi-country risk profile, with regional teams operating in the same platform under role-based access.
- Continuous audit readiness: Evidence logs and reporting are export-ready at any moment, removing the audit-season scramble.
QNB Group
Merchant Risk & Acquiring
“For a multi-regional financial institution like QNB, ad-hoc compliance is no longer an option. Onlayer allows us to secure our entire merchant portfolio at scale, ensuring operational reality always matches our strict regulatory and card scheme obligations.”