sucess case

iFood

iFood maintains an extensive digital payments ecosystem and, alongside its delivery core business, developed its own financial structure, including iFood Pago, focused on offering fintech-like services within the group.

The PCI DSS certification project was conducted to support strategic initiatives related to payment data exchange and the expansion of this financial services operation, considering the regulatory and security requirements associated with card data processing.

With the audit completed, the project achieved an independent PCI DSS certification for iFood Pago, formally documented through the official RoC (Report on Compliance) and AoC (Attestation of Compliance).

Align the defined payment flows with the requirements applicable to the new services.

Create a repeatable model that can be extended to other regulatory initiatives.

Enable continuity for the strategic initiatives planned for the domestic market.

Maintain evidence traceability through the platform used for collection and review.

Conviso PCI Certification

Learn how we can support your company in achieving PCI DSS or PCI PIN certification.

Talk to our experts

The challenge

Before the audit began, the team already knew this would be an unusual initiative: a new service, a newly designed architecture, fixed timelines, and the need to maintain innovation speed without compromising compliance.

Instead of adapting an existing environment—which would require significant restructuring—the decision was to start from scratch and build an independent scope for iFood Pago. This meant handling technical requirements, documentation, and data flows under a separate set of controls, without impacting existing operations.

From that point on, the challenges became clear:

Multiple teams involved
Compressed timeline
Need to separate automations and pipelines from the main ecosystem
Discipline required to avoid “falling back” to previous patterns during execution

Our biggest challenge was time. We did not follow a linear model. We defined the target date first, and everything had to fit within that timeline.

Juvenildo Lourenço

The certification journey with Conviso

The decision to pursue certification came after a joint assessment between the teams, evaluating whether it would be more viable to adapt existing projects or create a new independent scope. The second option proved to have a lower impact on the business.

The engagement included:

Definition of architecture and payment data flow design
Guidance on technical alignment with PCI DSS requirements
Continuous consulting throughout development and implementation
Support for evidence collection, submission, and validation
Coordination involving approximately 30 internal stakeholders
Full execution of the audit process, including interviews and RoC/AoC documentation

Maximum satisfaction with the consulting

The final delivery met the established timeline and consolidated a repeatable process for future certification cycles.

The partnership was built on technical guidance and clarity. Whenever adjustments were needed, we always discussed the best possible path forward.

Juvenildo Lourenço

Learn more about our certification services