How Streaming Giant DAZN Passed Its First PCI DSS 4.0.1 Audit

– Across 15 global checkouts with no observations, no gaps, and no code on the page.

The Challenge: You Can’t Prove What You Can’t See

DAZN Group isn’t one business; it’s a federation of them. Through organic growth and acquisition, including the major Foxtel Group acquisition in Australia, which brought brands such as Kayo Sports and BINGE under the group, DAZN Group spans multiple consumer businesses, alongside the flagship DAZN streaming service and its betting arm, DAZN Bet. Each processes payments for different services and different customers, and each had historically relied on different technologies for its PCI scanning. The result was a fragmented, brand-by-brand view of payment-page security across roughly 15 checkouts serving customers in more than 200 markets.

Then PCI DSS v4 changed what “good enough” meant. The new standard is far more prescriptive about client-side security, requiring organizations to actively monitor the third-party scripts running on their payment pages, the very scripts that can quietly skim cardholder data from inside the customer’s browser. With the group’s first v4 QSA audit approaching, a patchwork of scanning tools was never going to survive the scrutiny. DAZN needed one consistent way to monitor every checkout and to prove it.

There was a constraint that most retailers never face. As a live-streaming service, DAZN sees enormous numbers of viewers arrive at once during peak events, and nothing, least of all the checkout, can be allowed to slow the service down.

"It’s crucial that uptime remains consistent, and nothing can reduce our ability to provide the streaming services to our customers. So we needed something that is agentless but provides us with that real-time information, without the risk of having to bring down services."

The Script Nobody Could Explain

DAZN chose Reflectiz, turned it on, and almost immediately the platform surfaced something the team hadn’t expected: components running on live checkout pages that nobody recognized.

The platform’s reach spanned three separate teams: risk and compliance, security operations, and web application engineering. Yet no one could initially say what the script was, what it was doing, or why it was there. It was exactly the kind of quiet, unexplained presence on a payment page that the entire PCI DSS v4 client-side regime exists to flush out. Rather than guessing, the team used the platform’s Generate with AI button to produce a plain-language explanation of the script’s purpose, then traced it back through the business to confirm whether it belonged. An invisible blind spot became a documented, owned decision.

"When we first onboarded Reflectiz, it picked up a few components on a number of checkout pages that we did not recognize, something quite obscure. No one across the teams understood what the component was doing or why it was needed. Using the Generate with AI button actually helped us understand the purpose of the script and why it was there."

Why the Manual Approach Doesn’t Scale

DAZN had been running a separate tool for similar monitoring, so this wasn’t a blind evaluation — Dipesh could compare directly. The difference in usability was significant enough that he’s now planning to migrate that workload to Reflectiz entirely, consolidating onto one platform rather than maintaining two. The reason is scale. As the group onboards more services and configures more third-party components, clearing each alert by hand across every checkout becomes unsustainable. Smart approvals mean a script justified once doesn’t have to be reviewed from scratch every time, and the AI-generated justifications double as an education for the wider business about whether a component belongs on the page at all.

"The ability to quickly go through alerts and provide that smart approval has been really good. We’ve used the Generate with AI button to support our justification statements, but it also helps educate us; it gives us a basis to ask, as a business, do we actually need to be configuring these types of components into our web pages?"

Turned On in Hours, Not Weeks

Because Reflectiz is agentless, there was nothing to deploy on DAZN’s pages and no internal systems to reconfigure, which is also why it never competes with streaming performance. That meant the platform could be stood up fast, and it was put to the test immediately in the run-up to the annual audit. DAZN’s Customer Success Manager, Michael, turned a list of checkouts into live monitoring inside a day or two.

"Working with Michael has been great. At the very beginning, I listed out a number of checkouts on a Thursday or Friday, and within 24 to 48 hours, we had them onboarded, in the run-up to our annual QSA audit, so there was real urgency. Michael reached out to the internal teams and managed to onboard those checkouts very quickly, which allowed us to review everything before the QSA came in. Now the average onboarding time is within 24 hours once we’ve identified what needs to be onboarded."

One Point of Contact, Real Answers

That responsiveness wasn’t a one-off. Michael has been with DAZN from the initial procurement through to the ongoing expansion of checkouts, and the value of a dedicated contact, for Dipesh, is as much about understanding as speed: someone who has learned what DAZN does, what it’s trying to achieve, and the technical detail the team needs guidance on.

Michael’s been with us right from procuring the service through to expanding the number of checkouts. It’s great that he understands more and more about what DAZN does, what we’re after, and the technical details we need guidance with. From a dedicated customer point of view it’s very good; I can go to one person and get the guidance and the answers I need.

Where the Standard Gets Genuinely Hard

Not every question had a clean answer in the box, and Dipesh is candid that some of the trickiest calls came from the standard itself rather than the tooling. PCI DSS v4’s script requirements get genuinely ambiguous at the edges. When a single checkout sits on one iframe but loads multiple scripts, or when checkouts share a root URL yet differ slightly underneath, the standard doesn’t always spell out exactly what falls in scope.

"Even with translating the PCI DSS, it’s not 100 percent clear in places; for example, where you have one checkout on the same iframe but potentially using multiple scripts. The root URL is the same, but the checkout might be a little bit different. There’s a nuance there. So we worked with the QSA to validate exactly which checkouts we needed to scan."

This is where the combination of full script visibility and QSA validation earned its keep.Rather than guessing at scope, DAZN could point the assessor to exactly what was running on each page — which scripts, on which URLs, under which conditions. The iframe ambiguity that Dipesh flagged, one checkout URL, multiple scripts, no clear guidance in the standard, became a documented scope decision confirmed by the QSA rather than a finding waiting to happen. 

The Audit: Nothing to Find

When the assessor arrived, Reflectiz was one part of a much larger scope, but it was the part he could navigate with ease, likely the first time he’d encountered the platform. Every checkout, every script, every past alert, and every justification was laid out and exportable to XLS and PDF for further scrutiny.

We passed with flying colors: no observations, no gaps found. We took the QSA through Reflectiz, and it was quite easy for him to observe the exact evidence he was seeking. He had all the evidence right at his fingertips.

The Business Impact

●  Clean v4 audit: Passed the group’s first PCI DSS v4 QSA assessment with zero observations and zero gaps.

●  Consolidated monitoring: Fragmented, brand-by-brand scanning replaced by one agentless platform across roughly 15 checkouts.

●  Blind spot eliminated: Unrecognized scripts on live checkout pages surfaced, explained via AI, and brought under governance.

●  Rapid onboarding: New checkouts live within 24–48 hours, fast enough to meet a hard audit deadline.

●  Cross-team alignment: Risk and compliance, security operations and engineering all working from one shared set of alerts.

●  Dedicated support: A single, consistent Customer Success Manager from procurement through every checkout expansion.

●  No performance trade-off: Real-time monitoring with no code on the page and no risk to streaming uptime at peak.

The Bottom Line

DAZN now knows exactly what’s running on every checkout across its portfolio of brands, and can prove it to an assessor on demand. A fragmented set of scanning tools has been replaced by a single agentless platform that surfaces risks in real time, generates audit-ready evidence automatically, and brings three teams onto the same page, without adding developer overhead or touching the production environment.

"Absolutely, I’d recommend Reflectiz for the speed of onboarding, the usability, the way it uses AI to help build the justification case for compliance, and the ability to demonstrate evidence for PCI DSS. I’d recommend it to my peers."