Vertical guide · Updated June 2026

Payment card attorney time tracking: PCI DSS QSA remediation advisory calls, card brand forensic investigation advisory, and state AG payment card data breach notification enforcement

Q: How do PCI DSS QSA remediation advisory calls generate billing gaps on the QSA's assessment calendar?

PCI DSS v4.0 (published March 2022 by the PCI Security Standards Council, effective for all assessments after March 31, 2024) requires that merchants and service providers above certain transaction volume thresholds obtain an annual Report on Compliance (ROC) from a PCI SSC-approved Qualified Security Assessor (QSA). QSA firms set their own assessment calendars: compensating controls review sessions (for merchants seeking to use compensating controls in lieu of specific PCI DSS v4.0 requirements under PCI DSS v4.0 Appendix B), evidence collection advisory calls, remediation status checkpoint calls, and final ROC advisory discussions are all scheduled on the QSA firm's assessment calendar — not on the merchant's or attorney's calendar. Five QSA assessment advisory call types: QSA compensating controls scope advisory call (25–40 min) when the QSA schedules its review of the merchant's proposed compensating control methodology under PCI DSS v4.0 Appendix B; QSA evidence collection advisory call (25–35 min) when the QSA schedules its evidence collection session for the specific PCI DSS v4.0 requirement the merchant has identified as a remediation gap; QSA remediation status checkpoint call (22–35 min) at each scheduled checkpoint on the QSA's assessment timeline for outstanding remediation items; QSA technical vulnerability assessment advisory call (25–35 min) when the QSA schedules its review of the merchant's penetration test results and vulnerability scan reports required under PCI DSS v4.0 Requirements 11.3 and 11.4; and QSA final Report on Compliance advisory call (30–40 min) when the QSA presents draft ROC findings and required remediation for any open items on the QSA's final reporting timeline. At 55% untracked: 5 clients × 5 advisory calls × 35 min × 55% = 8.02 hours ≈ 8.0 hours = $3,600–$5,400/year at $450–$675/hr.

Payment card law solo attorneys advising merchants, service providers, and acquiring banks on PCI DSS v4.0 compliance (PCI Security Standards Council, March 2022) — including Qualified Security Assessor (QSA) annual Report on Compliance (ROC) advisory, compensating controls review under PCI DSS v4.0 Appendix B, card brand forensic investigation under Visa's Core Rules and Mastercard's Security Rules and Procedures, PCI Forensic Investigator (PFI) engagement advisory, chargeback dispute documentation, card brand compliance fine negotiation, and state data breach notification enforcement under Cal. Civ. Code § 1798.82, N.Y. Gen. Bus. Law § 899-aa, Tex. Bus. & Com. Code § 521.053, and 815 ILCS 530/10 — generate three billing-gap sources driven by the QSA firm's assessment calendar, each card brand's independent enforcement timeline, and each state AG's enforcement calendar: PCI DSS QSA remediation advisory calls on the QSA's assessment calendar (5 clients × 5 calls × 35 min × 55% untracked = 8.02 hours ≈ 8.0 hours = $3,600–$5,400/year at $450–$675/hr), card brand forensic investigation advisory calls on Visa/Mastercard's enforcement timeline (4 clients × 4 calls × 33 min × 55% = 4.84 hours ≈ 4.8 hours = $2,160–$3,240/year), and state AG payment card data breach notification advisory calls across multiple state enforcement calendars (6 clients × 3 calls × 28 min × 55% = 4.62 hours ≈ 4.6 hours = $2,070–$3,105/year). For a payment card solo practice, the annual billing gap is $7,830–$11,745.

TL;DR

ClaimHour captures every QSA compensating controls review advisory call that arrives when the QSA schedules its assessment session on the QSA firm's calendar, every card brand forensic report briefing advisory call that arrives on Visa's or Mastercard's independent enforcement timeline, and every state AG breach notification deficiency review advisory call that arrives on each state AG's independent enforcement calendar — passively, no timer, no audio, no call contents. $29–$59/mo. No PMS required.

PCI DSS QSA remediation advisory: calls on the QSA firm's assessment calendar

PCI DSS v4.0, published by the PCI Security Standards Council in March 2022 and mandatory for all assessments after March 31, 2024, requires that Level 1 merchants (processing more than 6 million Visa or Mastercard transactions annually) and service providers processing more than 300,000 transactions annually obtain an annual Report on Compliance (ROC) from a PCI SSC-approved Qualified Security Assessor (QSA). The QSA firm is an independent entity engaged by the merchant or service provider to assess compliance with the 12 requirement domains of PCI DSS v4.0 — from Requirement 1 (network security controls) through Requirement 12 (organizational policies and programs) — and the QSA sets its own assessment calendar: compensating controls review sessions for merchants implementing customized approaches under PCI DSS v4.0 Appendix B or D (PCI DSS v4.0 introduced a formal "customized approach" in addition to compensating controls in v3.2.1), evidence collection advisory calls for specific requirement gaps, remediation status checkpoints, and final ROC advisory discussions are all scheduled by the QSA firm on its assessment timeline, not on the merchant's or attorney's calendar. For merchants remediating gaps identified in the previous year's ROC or following a mid-year vulnerability discovery, the QSA's remediation checkpoints arrive at intervals set entirely by the QSA firm's assessment schedule — and a single large merchant PCI DSS assessment generates five categories of advisory calls arriving on the QSA's calendar throughout the 4–6 month assessment period.

Five PCI DSS QSA remediation advisory call types: (1) QSA compensating controls scope advisory call — advising on the merchant's proposed compensating control methodology under PCI DSS v4.0 Appendix B (including the intent of the original requirement, additional risk introduced by the compensating control, and equivalent or greater protection analysis required by the PCI SSC) (25–40 min) — arrives when the QSA schedules its compensating controls review session on the QSA firm's assessment calendar; (2) QSA evidence collection advisory call — advising on the specific evidence the QSA requires for a remediated PCI DSS v4.0 requirement gap, including network segmentation documentation under Requirement 1.3, multi-factor authentication implementation documentation under Requirement 8.4, and penetration test scope documentation under Requirement 11.3 (25–35 min) — arrives when the QSA schedules its evidence collection session on the QSA's assessment timeline; (3) QSA remediation status checkpoint advisory call — advising on the status of outstanding remediation items at each scheduled checkpoint in the QSA's assessment calendar, including whether compensating controls have been implemented to the QSA's satisfaction or whether open items require a Finding of Non-Compliance in the ROC (22–35 min) — arrives at each QSA-scheduled checkpoint on the assessment timeline; (4) QSA technical vulnerability assessment advisory call — advising on the merchant's penetration test results and vulnerability scan reports required under PCI DSS v4.0 Requirements 11.3 (external and internal penetration testing methodology) and 11.4 (penetration testing of segmentation controls), including the QSA's assessment of whether open vulnerabilities constitute PCI DSS findings (25–35 min) — arrives when the QSA schedules its technical assessment review on the QSA's assessment calendar; (5) QSA final Report on Compliance advisory call — advising on draft ROC findings, any Findings of Non-Compliance in the draft ROC, and remediation requirements that must be resolved before the QSA can issue a compliant ROC to the acquiring bank (30–40 min) — arrives when the QSA presents the draft ROC on the QSA's final reporting timeline. At 55% untracked: 5 clients × 5 advisory calls × 35 min × 55% = 8.02 hours ≈ 8.0 hours = $3,600–$5,400/year at $450–$675/hr.

Card brand forensic investigation advisory: calls on Visa/Mastercard's enforcement timeline

When a merchant, service provider, or acquiring bank experiences a payment card data breach, Visa and Mastercard each initiate independent forensic investigations under their respective operating regulations. Visa's Core Rules and Visa Product and Service Rules establish Visa's data compromise event response requirements, including mandatory PCI Forensic Investigator (PFI) engagement requirements, preliminary and final forensic report deadlines (Visa requires the initial PFI report within 5 business days of engagement and the final report within 10 business days of the preliminary report), and Visa's compliance fine calculation methodology for data compromise events. Mastercard's Security Rules and Procedures establish Mastercard's independent data compromise event response requirements, with Mastercard's own PFI engagement requirements and independent compliance fine calculation methodology. Because Visa and Mastercard operate independently, a single payment card breach that involves both Visa- and Mastercard-branded cardholder data generates two independent card brand enforcement timelines — with Visa's forensic investigation briefing calls and Mastercard's forensic investigation briefing calls arriving independently on each brand's enforcement calendar. Card brand forensic investigation advisory calls arrive when the card brand schedules the PFI investigation kickoff, the preliminary forensic report briefing, the chargeback dispute documentation review, and the compliance fine negotiation — all on the individual card brand's enforcement timeline, entirely independent of the QSA's remediation assessment calendar and the state AG's breach notification investigation timeline.

Four card brand forensic investigation advisory call types: (1) card brand PFI investigation kickoff advisory call — advising on the PFI engagement scope, the card brand's forensic investigation timeline expectations, the merchant's document preservation obligations for the PFI investigation, and the privilege analysis for forensic investigation communications (25–35 min) — arrives when the card brand schedules the PFI investigation kickoff on the card brand's forensic investigation timeline, independent of the merchant's or attorney's calendar; (2) card brand preliminary forensic report briefing advisory call — advising on the card brand's preliminary PFI findings, including the card brand's assessment of the scope of compromised cardholder data (account numbers, expiration dates, CVV2 data, track data), the card brand's preliminary determination of PCI DSS non-compliance, and the card brand's preliminary compliance fine calculation methodology (28–38 min) — arrives when the card brand shares preliminary PFI findings on the card brand's reporting calendar; (3) card brand chargeback dispute documentation review advisory call — advising on the merchant's chargeback dispute documentation (merchant agreement provisions governing chargeback liability allocation, the card brand's fraud transaction threshold analysis, and the merchant's dispute documentation requirements under the card brand's operating regulations) (25–35 min) — arrives when the card brand schedules its chargeback dispute documentation review on the card brand's dispute resolution timeline; (4) card brand compliance fine negotiation advisory call — advising on the card brand's proposed compliance fine amount (calculated under each card brand's proprietary fine matrix based on the number of compromised accounts, the card brand's assessment of PCI DSS non-compliance, and the timeframe of non-compliance), the merchant's grounds for fine reduction (including post-breach PCI DSS remediation, expedited consumer notification, and cooperation with the card brand's forensic investigation), and the negotiation position for the card brand fine settlement (30–40 min) — arrives when the card brand presents its proposed fine on the card brand's enforcement calendar. At 55% untracked: 4 clients × 4 calls × 33 min × 55% = 4.84 hours ≈ 4.8 hours = $2,160–$3,240/year at $450–$675/hr.

State AG payment card data breach notification advisory: calls on each state's enforcement calendar

Payment card data breaches that involve the combination of payment card account numbers with cardholder personal information (name, address, or other identifying information that enables identity theft) trigger breach notification obligations under each state's data breach notification statute. Cal. Civ. Code § 1798.82 requires notification to California residents and the California AG within 30 days of discovery (for breaches affecting more than 500 California residents), with the CA AG publishing breach notification letters on the AG's website and conducting compliance enforcement investigations. N.Y. Gen. Bus. Law § 899-aa (the SHIELD Act, effective March 21, 2020) requires notification to affected New York residents and the NY AG, with the NY AG authorized to bring civil enforcement actions for inadequate notification. Tex. Bus. & Com. Code § 521.053 requires notification to Texas residents within 60 days of discovery. 815 ILCS 530/10 requires notification to Illinois residents and the IL AG. Fla. Stat. § 501.171 requires notification within 30 days for data involving Social Security numbers and financial account data. Each state AG opens its breach notification investigation on its own enforcement calendar — state AG offices issue deficiency letters, civil investigative demands, and subpoenas on each state's independent enforcement timeline. For a merchant with cardholder data across multiple states, advisory calls arrive from each state AG's enforcement staff independently throughout the 12–18 month investigation period, with no coordination between state enforcement timelines and the card brand forensic investigation timelines.

Three state AG payment card data breach notification advisory call types: (1) state AG breach notification timeliness and content review advisory call — advising on whether the merchant's breach notification to the state AG satisfies the state's specific timing requirements, content requirements (description of the breach, types of information involved, steps consumers can take, steps the company is taking, contact information), and state-specific payment card data definitions (some state statutes define "payment card information" more broadly than PCI DSS cardholder data definitions) (22–32 min) — arrives when a state AG's office sends a breach notification deficiency letter or requests supplemental information on the state's enforcement calendar, independent of other state AG notification investigation timelines; (2) state AG document production request advisory call — advising on the scope of the state AG's civil investigative demand or administrative subpoena requesting forensic investigation reports (including PFI findings), PCI DSS assessment history (including prior year ROC findings), card brand compliance correspondence, and internal breach response records (25–35 min) — arrives when the state AG issues its CID or subpoena on the state's investigation timeline; (3) state AG consent decree or assurance of voluntary compliance advisory call — advising on the state AG's proposed settlement terms, including state civil penalty amounts under each state's breach notification statute, required consumer credit monitoring and identity theft protection service provisions, and state-specific PCI DSS compliance attestation requirements that the state AG may demand as part of the consent decree (25–35 min) — arrives when the state AG presents proposed settlement terms on the state's enforcement calendar, independent of the card brand compliance fine negotiation timeline and the QSA ROC assessment timeline. At 55% untracked: 6 clients × 3 calls × 28 min × 55% = 4.62 hours ≈ 4.6 hours = $2,070–$3,105/year at $450–$675/hr.

How ClaimHour fits payment card practice

If you advise merchants, service providers, and acquiring banks on PCI DSS v4.0 QSA annual ROC assessment with compensating controls review and remediation status checkpoint calls arriving on the QSA firm's assessment calendar, Visa and Mastercard independent forensic investigations with PFI briefing calls and compliance fine negotiation calls arriving on each card brand's enforcement timeline, and state AG payment card breach notification enforcement with deficiency letter responses and consent decree negotiation calls arriving on each state AG's independent enforcement calendar — and your invoices consistently understate the QSA final ROC advisory calls that arrive on the QSA's reporting timeline, the card brand chargeback dispute documentation review calls that arrive on the card brand's dispute resolution timeline, and the state AG document production advisory calls that arrive on each state's investigation timeline — ClaimHour was built for that gap.

Get early access

Related questions

How do PCI DSS QSA remediation advisory calls generate billing gaps on the QSA's assessment calendar?

PCI DSS v4.0 (mandatory for all assessments after March 31, 2024) requires annual ROC assessment by a PCI SSC-approved QSA for Level 1 merchants and qualifying service providers. QSA firms set their own assessment calendars: compensating controls review sessions under PCI DSS v4.0 Appendix B, evidence collection advisory calls, remediation status checkpoints, technical vulnerability assessment advisory calls for Requirements 11.3 and 11.4, and final ROC advisory discussions all arrive on the QSA firm's assessment timeline, not on the merchant's or attorney's calendar. Five advisory call types: QSA compensating controls scope advisory call (25–40 min), QSA evidence collection advisory call (25–35 min), QSA remediation status checkpoint advisory call (22–35 min), QSA technical vulnerability assessment advisory call (25–35 min), and QSA final ROC advisory call (30–40 min). At 55% untracked: 5 clients × 5 advisory calls × 35 min × 55% = 8.02 hours ≈ 8.0 hours = $3,600–$5,400/year at $450–$675/hr.

How do card brand forensic investigation advisory calls generate billing gaps on Visa/Mastercard's enforcement timeline?

Visa (under Visa's Core Rules) and Mastercard (under Mastercard's Security Rules and Procedures) each initiate independent forensic investigations mandating PFI engagement, preliminary and final forensic reports on the card brand's own timeline, chargeback dispute documentation review, and compliance fine negotiation — entirely on each card brand's enforcement calendar, independent of the merchant's attorney. For a breach involving both Visa and Mastercard cards, advisory calls arrive independently on each brand's enforcement timeline. Four advisory call types: card brand PFI investigation kickoff advisory call (25–35 min), card brand preliminary forensic report briefing advisory call (28–38 min), card brand chargeback dispute documentation review advisory call (25–35 min), and card brand compliance fine negotiation advisory call (30–40 min). At 55% untracked: 4 clients × 4 calls × 33 min × 55% = 4.84 hours ≈ 4.8 hours = $2,160–$3,240/year at $450–$675/hr.

How do state AG payment card data breach notification advisory calls generate billing gaps across multiple state enforcement calendars?

Multiple state AGs open parallel payment card breach notification investigations under independent enforcement authority: Cal. Civ. Code § 1798.82 (CA, 30-day notification), N.Y. Gen. Bus. Law § 899-aa SHIELD Act (NY, AG civil enforcement), Tex. Bus. & Com. Code § 521.053 (TX, 60-day notification), 815 ILCS 530/10 (IL, AG enforcement), Fla. Stat. § 501.171 (FL, 30 days for financial account data), and Colo. Rev. Stat. § 6-1-716 (CO). Each state AG investigation proceeds on its own enforcement calendar with independent CID authority and consent decree negotiation. Three advisory call types: state AG breach notification timeliness and content review advisory call (22–32 min), state AG document production request advisory call (25–35 min), and state AG consent decree or assurance of voluntary compliance advisory call (25–35 min). At 55% untracked: 6 clients × 3 calls × 28 min × 55% = 4.62 hours ≈ 4.6 hours = $2,070–$3,105/year at $450–$675/hr.

How does payment card attorney billing differ from other cybersecurity and data breach attorney billing?

Standard cybersecurity and data breach attorney billing (HIPAA OCR investigations, SEC cybersecurity disclosure, GDPR breach notification) involves regulatory agency enforcement timelines that are relatively structured with known investigation phases. Payment card attorney billing differs because three independent non-governmental and governmental enforcement timelines drive advisory calls simultaneously after a breach: the QSA firm's assessment calendar (set by the QSA firm's own scheduling based on remediation progress); the card brand enforcement timelines (set independently by Visa and Mastercard on each brand's forensic investigation schedule); and multiple state AG enforcement calendars (each state AG opening parallel investigations on its own timeline). The combined annual billing gap for a payment card solo practice is $7,830–$11,745/year — 17.4 untracked hours driven by multiple independent enforcement timelines the attorney has no ability to control or consolidate onto a single predictable calendar.