In today’s world, cybersecurity and regulatory demands have grown more complex, and businesses are seeking practical, scalable ways to stay compliant. Industry leaders are increasingly focused on simplifying compliance without compromising security or operational efficiency.
International Finance discussed the issue with Kamran Chaudhary, who is a 25-year veteran who specialises in Governance, Risk, and Compliance (GRC) frameworks and cybersecurity. Kamran serves as Vice-President of Solutions Engineering at VikingCloud where he is responsible for solution scoping, alignment, training, and demos.
Kamran has collaborated with a diverse range of industries, from finance and healthcare to technology and government, leveraging a deep understanding of risk management to build tailored solutions that address unique challenges.
In an exclusive interview with International Finance, Kamran Chaudhary explains how VikingCloud simplifies PCI compliance for SMBs through continuous monitoring, proactive updates, and AI-driven insights. He also addresses risks and closes compliance gaps, ultimately helping clients achieve success in global operations.
What sets VikingCloud apart from competitors when supporting small and mid-sized businesses with PCI DSS compliance?
What really sets us apart is that we don’t look at SMBs as just a smaller version of an enterprise problem. Our Continuous Compliance Management (CCM) approach takes the PCI burden completely off the merchant’s plate so they can focus on running their business and delivering a great guest experience, something truly unique to VikingCloud. We’ve developed dedicated solutions for small and mid-sized businesses that are built to deliver rapid, cost-effective, and uncomplicated compliance for businesses that may not have their own internal security resources. On top of that, we bring 25-plus years of PCI expertise and our Asgard Platform, which provides clients with real-time visibility of their compliance status. More than 4 million businesses around the globe trust us because we show up as a partner, not just a vendor.
As PCI DSS requirements continue to evolve, what strategies are in place to ensure clients are prepared before new standards become mandatory?
We monitor the guidance put out by the PCI SSC and ensure that we are already ahead of any changes before they are required, not after. For instance, when the PCI DSS 4.0 came out, we were already ahead of it, and 4.0.1 since then. We also take the information provided in the updates and make sure that we’re communicating it in a way that’s easy to understand so that clients aren’t surprised by any changes, and we offer webinars and other direct communication to ensure that we’re walking them through exactly what’s changing and what needs to be done. We want to make sure that compliance is an ongoing process, not a fire drill every time a new version is released.
Many small businesses underestimate the risks of non-compliance. What approaches are used to educate and engage clients who may not initially prioritise PCI compliance?
To be honest, the biggest change comes when we make it real and tangible for them in terms of non-compliance. The reality for small business merchants is that they often simply check ‘yes’ for all PCI requirements without truly understanding what’s required to become compliant. Non-compliance fees start small at $50 to $100 per month, but can quickly escalate into thousands. Business owners who aren’t PCI compliant are also personally responsible for the costs associated with a potential data breach. VikingCloud simplifies the entire process by educating business owners about their specific requirements and delivering turn-key programmes that take the guesswork out of PCI, and with ransomware now making up 88% of small business attacks, the stakes couldn’t be higher. We lead with those numbers, but we also lead with making it accessible for them so it doesn’t feel so daunting for business owners who are already trying to wear ten hats at once. Once we make it accessible to them, then we have their attention.
Which compliance gaps are most frequently identified in small businesses, and what steps are typically taken to resolve them efficiently?
The most common gaps we see with Level 4 small business merchants are log retention — PCI requires one year of logs with daily reviews, which is expensive to set up independently — security awareness training, where PCI requires proof of training upon hire and annually for all in-scope employees, and secure remote access with two-factor authentication. Many SMBs simply aren’t aware these requirements exist until they’re flagged. We start with a vulnerability scan and a scoping exercise to get clarity on the gaps, and then develop a remediation plan where we address the high-risk gaps first. We use the platform to track everything so nothing falls through the cracks. Time is of the essence.
How does the company maintain strong security controls while minimising operational disruptions for businesses that process payments daily?
Security must be a friend rather than a foe to the business because, if we make it too difficult, people will work around it. We operate on a model of continuous background monitoring rather than disruptive assessments, running 24/7 with our Asgard Platform, detecting threats and highlighting them before they can cause damage. We’ll actually schedule in remediation when it can be done during peak times, so it doesn’t interfere when it can least be afforded. We’ll also remove the burden from our internal teams so that we can continue to serve our customers while we handle the security behind the scenes.
Where does automation or AI contribute most effectively in monitoring, reporting, and maintaining PCI compliance across global operations?
That’s where the scale problem pays off, though, because AI earns its keep here. We process over six billion online events per day, so no human team can manually review all of those events. Modern AI, and other machine learning before that, has helped us shift from a reactive model to a predictive model, detecting anomalies and new threats before they become incidents. On the compliance side, AI provides audit-ready documentation, tracks status in real-time, and points out gaps to aid the real people responsible, ultimately speeding the time to reporting. For clients who span multiple locations or even countries, this level of consistency matters: same level of rigour, everywhere, all the time.
Since VikingCloud operates in over 70 countries, how do regional regulations or cultural differences impact the compliance strategy?
PCI DSS is a worldwide standard, but the world around it is not necessarily so. In the EU, clients are also dealing with GDPR. In APAC and Latin America, clients are dealing with local payment regulations, in addition to their PCI requirements. We have in-region expertise that can help clients understand how these areas intersect, so clients don’t have to be experts in each area. Cultural nuances also come into play, such as how we communicate compliance needs to a large retail client in Germany versus a growing hospitality business in Southeast Asia. Localising is not just desirable; it is what makes it work.
What does cross-functional collaboration look like among compliance, sales, product, and support teams to deliver a seamless client experience?
We strive to ensure the client experience does not slip through the cracks between teams. Our compliance team, product team, and support teams all have feedback loops that feed directly into the way we build and improve our product. Our sales team is trained to ensure the client has the right expectations at the beginning, so they are not surprised down the road. We use internal visibility to ensure we can identify client health and address any potential issues promptly. A contract is not the end result; a compliant, protected, and secure client is.
Beyond PCI certification, what metrics or indicators are used to evaluate long-term client success and risk reduction?
Certification is a milestone, not the destination. We monitor things like the reduction in total vulnerability count over time, the average time taken to detect and respond to threats, and the ratio of high-risk issues resolved compared to the number still open. We also monitor whether the client is doing the controls in between cycles and not just preparing for the audit season. Clients who are engaging with the platform are in a much healthier security state. But at the end of the day, the real measure is whether the client has had fewer issues and has reduced their overall risk posture.
Which traits or skills distinguish the most successful team members who support businesses navigating complex compliance environments?
While technical knowledge is important, it’s not the only factor. The people who make the most impact are the people who, given something complex, are able to make it clear and understandable to a person who runs a pharmacy or a hotel chain, not a security expert. Curiosity is a huge factor because the threat space never stops changing. The best people in this space are always curious, always learning. And then, beyond all of those, I think it’s just a matter of empathy, of patience, because compliance only works if the person on the other side of the conversation trusts you, so gaining their trust is as important as any other factor.