How Lili Achieved PCI DSS & Reduced Audit Complexity

Introduction

Lili is an award-winning online business banking platform built for growth-ready small and mid-sized businesses in the U.S. Designed for owners and teams managing increasing volume and complexity, Lili delivers high-performance business banking with fast payments, high-yield savings, access to credit and exceptional support.

But with growth came increased responsibility.

As Lili expanded its platform and deepened its role in handling sensitive financial and payment data, the need to formalize its security posture became unavoidable. PCI DSS compliance wasn't just a regulatory requirement, it was a foundational step toward building long-term trust with customers, partners, and the broader financial ecosystem.

Lili needed a partner who could guide them through this process without slowing down the business. They weren’t looking for a traditional audit firm. They were looking for clarity, speed, and real expertise.

That’s where GRSee Consulting came in.

From the outset, GRSee positioned itself not just as a QSA, but as a strategic partner, one that understands modern fintech environments and knows how to translate compliance into practical, operational security.

The Challange

For Lili, PCI DSS was not about managing large volumes of cardholder data internally, but about demonstrating a strong, compliant security posture within a broader payments ecosystem.

As their platform evolved, ensuring alignment with PCI DSS requirements became important for supporting partnerships, meeting ecosystem expectations, and reinforcing trust with stakeholders.

The challenge wasn’t simply achieving compliance, it was doing so in a way that aligned with Lili’s architecture and operating model, without introducing unnecessary friction or slowing down product development.

At the same time, preparing for a PCI DSS Report on Compliance (ROC) Audit required a high level of rigor. Even in environments with limited direct card data exposure, controls, processes, and evidence must still be clearly defined, validated, and able to withstand detailed assessment.

Lili needed a way to move forward with confidence, without getting stuck in the kind of slow, unclear, and resource-draining audit processes that many companies experience.

The Solution

From the very beginning, GRSee approached the engagement differently.

The focus was on understanding how their environment actually worked. Their architecture, workflows, and constraints became the starting point for everything that followed.

The engagement began with a PCI DSS gap assessment, which provided a clear picture of where things stood and what needed to be addressed. But more importantly, it translated the standard into something actionable, highlighting not just gaps, but priorities.

From there, GRSee worked closely with Lili’s teams to build a structured path forward. This wasn’t a one-time deliverable. It was an ongoing process of alignment, validation, and execution.

Penetration testing played a critical role in this phase, helping simulate real-world attack scenarios and uncover risks that might not be visible through documentation alone. In parallel, vulnerability scanning introduced a continuous layer of visibility, allowing Lili to proactively identify and address weaknesses across their environment.

As the engagement progressed, GRSee also supported Lili through the preparation for their QSA-led PCI DSS ROC audit. This meant more than just “getting ready.” It involved structuring evidence, validating controls early, and ensuring that by the time the audit began, there were no surprises.

Throughout the process, GRSee operated as an extension of Lili’s team, available, responsive, and deeply involved in the details.

This approach reflects a fundamental difference in philosophy. Instead of forcing companies into rigid frameworks, GRSee aligns compliance with reality, how systems are built, how teams operate, and where risks actually exist .

As the designated QSA, GRSee maintained a forward-looking perspective throughout the process. Every step, from evidence collection to control validation, was aligned with what would ultimately be required for the ROC audit. This meant that by the time the audit formally began, there were no surprises, no last-minute gaps, and no unnecessary rework.

This integrated approach reflects a key difference in how GRSee operates. Instead of separating advisory and audit into disconnected phases, they create a continuous, aligned process that reduces friction and increases confidence while maintaining separation of duties.

Challenges & How They Were Addressed

Like many fast-growing fintech companies, Lili faced a set of challenges that made PCI DSS particularly complex.

Their environment was dynamic, with evolving infrastructure and multiple stakeholders involved in security, engineering, and operations. Documentation requirements were extensive, and aligning everyone around a shared understanding of compliance expectations required time and coordination.

Perhaps most importantly, there was the risk of inefficiency, the kind that often comes with traditional audit processes. Endless back-and-forth, unclear evidence requests, and last-minute surprises can turn compliance into a draining, disruptive experience.

GRSee’s role was to eliminate that friction, they were able to define expectations early and ensure alignment throughout. This eliminated the common disconnect between “what was prepared” and “what is required in the audit.”

By introducing clear structure from the beginning, they ensured that expectations were well defined and progress was measurable. Early validation checkpoints helped catch issues before they became problems, and ongoing communication kept everyone aligned.

Their white-glove approach meant that Lili was never left guessing. Evidence was reviewed before submission. Controls were discussed in context. Questions were answered quickly, often by senior experts who understood both the technical and compliance dimensions.

Instead of slowing the team down, the process became more efficient over time. And instead of feeling like an external burden, compliance became integrated into how Lili operated.

The Impact

By the time Lili entered the formal audit phase, the groundwork had already been laid. What could have been a stressful, uncertain process became structured and predictable. Teams knew what was expected. Evidence was organized. Controls were aligned with reality.

The preparation for the PCI DSS ROC audit was not just complete, it was confident.

Beyond the audit itself, the impact extended into the broader organization. Lili gained a clearer understanding of its security posture, along with processes that could scale as the company grows. Vulnerability management became more proactive. Security testing became more meaningful. And compliance shifted from a reactive effort to a managed capability.

Perhaps most importantly, the internal perception of compliance changed. What once felt like a complex obligation became something more valuable, a way to strengthen trust, reduce risk, and support growth.

Conclusion

Lili’s journey reflects a broader shift in how modern companies approach security and compliance.

In a world where trust is critical, frameworks like PCI DSS are not just requirements, they are signals. Signals to customers, partners, and the market that security is taken seriously.

By partnering with GRSee Consulting, Lili was able to approach this challenge with clarity and confidence.

Instead of navigating a fragmented, frustrating audit process, they built a structured, scalable foundation for security and compliance, one that supports their continued growth in a regulated environment.

And in doing so, they demonstrated that compliance, when done right, is not a blocker.

It’s an advantage.