INDEX
Example
Example
SHARE THIS ARTICLE
Copy link
Post on LinkedIn
Post on X
Ready to get compliant?
Whether you're getting compliant for the first time or want to make your next audit less painful, Delve gets you across the finish line faster.
SOC 2 progress bar showing 96% completed with steps labeled Tools, Evidence, Policies, Pass audit, and Ship faster.
Book a Demo
Book a Demo
Abstract gradient background blending teal, black, and orange hues.
All articles
No items found.

Complete Process of PCI Compliance (2026 Guide)

Posted:
Feb 6, 2026
|
Last updated:
Feb 6, 2026
Shane Peden
Partner, Risk Advisory & Assurance Services at Aprio
min read

Summary

  • The PCI compliance process consists of three steps: (1) Assess: scope your cardholder data environment and identify gaps, (2) Remediate: implement security controls and fix vulnerabilities, and (3) Report: Document and validate compliance with your acquirer.
  • Before starting, answer three classification questions: Are you a merchant or service provider? How do you accept payments (determines SAQ type)? What's your transaction volume (determines level)? These answers set your entire compliance path.
  • Your ongoing work follows the assess-remediate-report cycle: scope your CDE and map data flows, reduce scope then implement technical and process controls, complete your SAQ or ROC and submit with quarterly ASV scans.
  • Formal validation is what happens during assessment: scoping verification, sampling for large environments, compensating control review, reporting to acquirer, and clarifications as needed.
  • Scope reduction before remediation is the highest-leverage move. 

PCI DSS: How a single question drives the entire standard 

Payment Card Industry Data Security Standard (PCI DSS) often feels like an intimidating wall of 260+ controls designed for giants like JPMorgan Chase, but for most businesses, it boils down to answering just one question

“Are you protecting card data properly?”

Everything else is an implementation detail. To navigate this, you simply follow an ongoing operational rhythm of three steps:

These three steps serve six core goals such as building secure networks and controlling access, which are refined into 12 mandatory requirements.

Goal Requirement
Build Secure Networks 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored data
4. Encrypt transmission of cardholder data across open, public networks
Manage Vulnerabilities 5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Control Access 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Monitor and Test 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Security Policies 12. Maintain a policy that addresses information security for all personnel

Focusing on these 12 requirements provides enough depth to steer your team through the process. While the 260+ micro-controls can be complex, Delve handles that heavy lifting for you, providing a bespoke framework for your specific environment.

Let's review the PCI compliance process 

Here’s how you become PCI compliant in three simple steps.

Step 1: Know who you are (before you start)

The PCI compliance journey is different for everyone. The process you follow depends on WHO you are in the PCI ecosystem. The better clarity you have of your identity, the better scope you’ll be able to draw, the less friction you’ll feel along the way. In order for that, you must answer three basic questions before doing anything else.

Question 1: Are You a Merchant or a Service Provider?

  • A merchant accepts payment cards for their own goods or services. 
  • A service provider handles cardholder data on behalf of other companies. 

Most startups are merchants. If you're selling software and taking payment, you're a merchant. If you're processing payments for other businesses or storing their customers' card data, you're a service provider. Some companies are both, which means separate compliance tracks for each role.

Why it matters

Service providers face stricter requirements and only qualify for SAQ D (the longest form). They also need to validate scope every six months instead of annually. Merchants have more options depending on how they accept payments.

Question 2: How Do You Accept Payments?

This is the big one. Your payment architecture determines which Self-Assessment Questionnaire applies to you, and SAQ types range from 22 controls to 260+. The difference between SAQ A and SAQ D isn't trivial. It's the difference between a two-week project and a six-month odyssey.

How You Accept Payments SAQ Type Controls
Fully outsourced (customer redirects to Stripe, PayPal, etc.) SAQ A ~22
E-commerce where you control the payment page SAQ A-EP ~139-191
Physical terminals connected to phone lines SAQ B ~41
Physical terminals connected to internet SAQ B-IP ~82
Virtual terminal (manually keying cards into web app) SAQ C-VT ~79
Payment app connected to internet SAQ C ~160
Point-to-point encryption hardware SAQ P2PE ~33
Everyone else (or service providers) SAQ D ~260+

Read that table again. A company using Stripe Checkout (full redirect) answers 22 questions. A company that built its own payment form answers 260+. Same business models can have wildly different compliance burdens. This is why payment architecture decisions made early in a company's life have massive downstream consequences.

One caveat: PCI DSS 4.0 added Requirements 6.4.3 and 11.6.1, which require monitoring scripts on any page containing a payment iframe. So even SAQ A merchants have some technical work now. But it's still dramatically less than handling cards directly.

Question 3: How Many Transactions Do You Process?

Transaction volume determines your "PCI compliance level," which affects how you validate compliance.

Level Annual Card Transactions What You Submit
1 Over 6 million QSA audit (Report on Compliance) + quarterly scans
2 1 million to 6 million SAQ + quarterly scans
3 20,000 to 1 million (e-commerce) SAQ + quarterly scans
4 Under 20,000 (e-commerce) or under 1 million SAQ + quarterly scans (recommended)

Most startups are Level 3 or 4. The critical threshold is 6 million transactions, where you must hire a Qualified Security Assessor (QSA) for an on-site audit. Below that, self-assessment works. Your acquirer (the bank behind your payment processor) can also bump you to a higher level based on risk factors, so don't assume volume is the only consideration.

Step 2: Create a System of Ongoing Compliance Work

Once you know your classification, you must build the "operating rhythm" that keeps you compliant. This is not a one-time event, but a continuous cycle of three phases: Assess, Remediate, and Report.

TL;DR

Founder’s Summary

Goal: Move from "not compliant" to "audit-ready" through a continuous cycle.

The Loop: You create a system that finds gaps (Assess), fixes them (Remediate), and submits proof (Report).

Key Action: Always “shrink your scope" before fixing things, to save months of work and thousands of dollars.

Assessment Phase: Find where the data lives and what’s broken 

The purpose of the assessment phase is to understand what you're protecting and where the gaps are. This phase establishes your scope (the systems that touch card data), which determines everything that follows. Rush it, and you'll pay for it later.

1. Scope your Cardholder Data Environment (CDE)

Your CDE is every system that touches card data, plus everything connected to those systems. The PCI Security Standards Council recommends assuming everything is in-scope until proven otherwise. Here's what you need to identify:

  • Every system that stores, processes, or transmits cardholder data (your payment servers, databases, applications)
  • "Connected-to" systems: anything with network connectivity to your CDE (that admin workstation on the same VLAN? In scope)
  • "Security-impacting" systems: anything that could affect CDE security if compromised (firewalls, logging servers, authentication systems)
  • Network segmentation status: document whether your CDE is isolated or sitting on a flat network (flat networks dramatically expand scope)

2. Map cardholder data flows

Draw this out. Literally. Data flow diagrams aren't just documentation requirements. They're how you find scope creep before it finds you. Answer these questions:

  • How does card data enter your environment? (Web form, API, phone call, physical terminal)
  • Where does it travel? (Which systems touch it, which networks carry it?)
  • Where is it stored, if anywhere? (Databases, logs, backups, call recordings)
  • How does it exit? (To processor, to acquirer, deleted after authorization)

3. Analyze gaps against applicable requirements

Now compare your current state to what your SAQ requires. Every "no" answer is a gap. Every gap needs a plan.

  • Compare current state to your applicable SAQ requirements (not the full PCI DSS if you qualify for a shorter SAQ)
  • Identify technical gaps: missing encryption, weak access controls, insufficient logging, unpatched systems
  • Identify process gaps: missing policies, no security training, no incident response plan, no vendor management
  • Prioritize by risk (what could cause a breach) and effort (what can you fix quickly). Quick wins build momentum.

4. Verify third-party compliance

Your vendors' compliance gaps become your compliance gaps. Don't skip this.

  • Collect Attestations of Compliance (AOCs) from every service provider who touches card data on your behalf
  • Confirm their compliance actually covers the services they provide you (an AOC for their hosted product doesn't cover custom integrations)

Remediation Phase: Shrink your scope, then fix what remains

Remediation addresses the gaps identified during assessment. The order matters here. Most companies jump straight to implementing controls. Smart companies shrink scope first.

1. Reduce the scope first of all

Before you fix anything, ask: "Can we reduce what needs fixing?" According to Google Cloud's PCI architecture guidance , one should keep narrow scopes. Overscoping leads to broad costs. Through diligent evaluation, one can avoid systems that should not be in-scope. Check for:

  • Network segmentation: Isolate your CDE on its own network segment with strict firewall rules. Everything outside the segment drops out of scope.
  • Tokenization: Replace card numbers with meaningless tokens. Systems that only see tokens are out of scope.
  • Migration to compliant third-party processors: Move card handling to a PCI-compliant provider. You inherit their compliance.
  • P2PE deployment: Point-to-point encryption encrypts card data at the terminal. Your systems never see unencrypted data.

2. Cater technical remediations

Now implement the technical controls your SAQ requires. Common items:

  • Firewall configuration and rule review: Default deny, explicit allows only for required traffic
  • Encryption implementation: TLS 1.2+ for data in transit, AES-256 for data at rest
  • Access control: PCI DSS 4.0 requires MFA for all CDE access, not just remote
  • Logging and monitoring setup: Centralized logging, real-time alerting, audit trails for all access
  • Vulnerability scanning configuration: Internal and external scans, automated and scheduled
  • Penetration testing: Required annually and after significant changes for most SAQ types

3. Implement process remediations

Technical controls aren't enough. PCI compliance requires documented processes and trained people.

  • Policy development: Information security policy, acceptable use policy, access control policy, change management policy
  • Incident response plan creation: Documented procedures for detecting, responding to, and recovering from security incidents
  • Security awareness training program: Annual training for all staff, with records of completion
  • Vendor management procedures: Process for evaluating and monitoring third-party security

4. Create documentation along

Evidence is the currency of compliance. Document as you go, not after.

  • Document all controls implemented with screenshots, configuration exports, and timestamps
  • Maintain evidence for each requirement: auditors will ask for proof, not promises
  • Keep policies and procedures current: outdated documentation is a finding

Reporting Phase: Prove the work, then keep proving it

The reporting phase validates and documents your compliance status. This is where you prove everything you've done actually meets requirements.

1. Complete your assessment

2. Sign Attestation of Compliance (AOC)
  • Formal declaration that you've completed assessment and met applicable requirements
  • Must be signed by an executive officer (for SAQ) or QSA (for ROC)

3. Conduct quarterly ASV scans
  • External vulnerability scans by an Approved Scanning Vendor (ASV) are required quarterly
  • Scans must pass: no high-severity vulnerabilities on internet-facing systems

4. Submit documentation
  • Send SAQ (or ROC) + AOC + ASV scan reports to your acquirer
  • Card brands may have additional submission requirements depending on your level and history

5. Maintain ongoing compliance

Compliance isn't a finish line. It's an operating rhythm. This system you created needs to keep running properly so that the answer to the question, “are you handling card data properly?” is always YES.

  • This cycle repeats continuously, with annual reassessment required
  • Annual reassessment required: full SAQ or ROC every 12 months
  • Re-assess after significant changes: new payment methods, major infrastructure changes, acquisitions

Step 3: Proving it to the auditor

Your ongoing compliance work is what you do. Formal validation is what happens to it. When you submit your SAQ or undergo a QSA audit, assessors step in to verify the system you've created actually works.

This isn't a separate track running parallel to your ongoing work. It's what happens inside the Report phase when an external party steps in to verify your compliance.

Step What Happens Who Does It
Scoping Verify all systems handling card data are identified and included You: SAQ
QSA: ROC
Sampling For large environments, select representative systems to test in detail QSA (for ROC only)
Compensating Controls Document and validate alternative controls when you can't meet a requirement exactly You document, QSA validates
Reporting Complete and submit required documentation to acquirer You submit
Clarifications Respond to questions from acquirer or card brands You respond as needed

Roadmap of PCI compliance process

For a startup with modern cloud infrastructure, no legacy systems, and willingness to move fast, here's what a realistic timeline looks like. SAQ A through SAQ C scenarios typically take 8-10 weeks. SAQ D with a large environment? Double or triple it. Level 1 requiring a QSA audit? Add scheduling delays and more extensive evidence collection. But the sequence stays the same.

Operationalizing the sequence: Classify, shrink, and handle

PCI compliance can feel overwhelming because it's often presented as a wall of requirements. It's not. It's a sequence: classify yourself, shrink your scope, handle what remains. That sequence, executed with discipline, turns a months-long slog into a weeks-long sprint, especially with tools like Delve that were built for this exact process.

If an enterprise deal is waiting on your compliance, or you'd rather get ahead of the inevitable security questionnaire, we can help you move from zero to certified in weeks. 

Book a Demo
Book a Demo

About the authors

Shane Peden
Partner, Risk Advisory & Assurance Services at Aprio

Summary

  • The PCI compliance process consists of three steps: (1) Assess: scope your cardholder data environment and identify gaps, (2) Remediate: implement security controls and fix vulnerabilities, and (3) Report: Document and validate compliance with your acquirer.
  • Before starting, answer three classification questions: Are you a merchant or service provider? How do you accept payments (determines SAQ type)? What's your transaction volume (determines level)? These answers set your entire compliance path.
  • Your ongoing work follows the assess-remediate-report cycle: scope your CDE and map data flows, reduce scope then implement technical and process controls, complete your SAQ or ROC and submit with quarterly ASV scans.
  • Formal validation is what happens during assessment: scoping verification, sampling for large environments, compensating control review, reporting to acquirer, and clarifications as needed.
  • Scope reduction before remediation is the highest-leverage move. 

PCI DSS: How a single question drives the entire standard 

Payment Card Industry Data Security Standard (PCI DSS) often feels like an intimidating wall of 260+ controls designed for giants like JPMorgan Chase, but for most businesses, it boils down to answering just one question

“Are you protecting card data properly?”

Everything else is an implementation detail. To navigate this, you simply follow an ongoing operational rhythm of three steps:

These three steps serve six core goals such as building secure networks and controlling access, which are refined into 12 mandatory requirements.

Goal Requirement
Build Secure Networks 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored data
4. Encrypt transmission of cardholder data across open, public networks
Manage Vulnerabilities 5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Control Access 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Monitor and Test 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Security Policies 12. Maintain a policy that addresses information security for all personnel

Focusing on these 12 requirements provides enough depth to steer your team through the process. While the 260+ micro-controls can be complex, Delve handles that heavy lifting for you, providing a bespoke framework for your specific environment.

Let's review the PCI compliance process 

Here’s how you become PCI compliant in three simple steps.

Step 1: Know who you are (before you start)

The PCI compliance journey is different for everyone. The process you follow depends on WHO you are in the PCI ecosystem. The better clarity you have of your identity, the better scope you’ll be able to draw, the less friction you’ll feel along the way. In order for that, you must answer three basic questions before doing anything else.

Question 1: Are You a Merchant or a Service Provider?

  • A merchant accepts payment cards for their own goods or services. 
  • A service provider handles cardholder data on behalf of other companies. 

Most startups are merchants. If you're selling software and taking payment, you're a merchant. If you're processing payments for other businesses or storing their customers' card data, you're a service provider. Some companies are both, which means separate compliance tracks for each role.

Why it matters

Service providers face stricter requirements and only qualify for SAQ D (the longest form). They also need to validate scope every six months instead of annually. Merchants have more options depending on how they accept payments.

Question 2: How Do You Accept Payments?

This is the big one. Your payment architecture determines which Self-Assessment Questionnaire applies to you, and SAQ types range from 22 controls to 260+. The difference between SAQ A and SAQ D isn't trivial. It's the difference between a two-week project and a six-month odyssey.

How You Accept Payments SAQ Type Controls
Fully outsourced (customer redirects to Stripe, PayPal, etc.) SAQ A ~22
E-commerce where you control the payment page SAQ A-EP ~139-191
Physical terminals connected to phone lines SAQ B ~41
Physical terminals connected to internet SAQ B-IP ~82
Virtual terminal (manually keying cards into web app) SAQ C-VT ~79
Payment app connected to internet SAQ C ~160
Point-to-point encryption hardware SAQ P2PE ~33
Everyone else (or service providers) SAQ D ~260+

Read that table again. A company using Stripe Checkout (full redirect) answers 22 questions. A company that built its own payment form answers 260+. Same business models can have wildly different compliance burdens. This is why payment architecture decisions made early in a company's life have massive downstream consequences.

One caveat: PCI DSS 4.0 added Requirements 6.4.3 and 11.6.1, which require monitoring scripts on any page containing a payment iframe. So even SAQ A merchants have some technical work now. But it's still dramatically less than handling cards directly.

Question 3: How Many Transactions Do You Process?

Transaction volume determines your "PCI compliance level," which affects how you validate compliance.

Level Annual Card Transactions What You Submit
1 Over 6 million QSA audit (Report on Compliance) + quarterly scans
2 1 million to 6 million SAQ + quarterly scans
3 20,000 to 1 million (e-commerce) SAQ + quarterly scans
4 Under 20,000 (e-commerce) or under 1 million SAQ + quarterly scans (recommended)

Most startups are Level 3 or 4. The critical threshold is 6 million transactions, where you must hire a Qualified Security Assessor (QSA) for an on-site audit. Below that, self-assessment works. Your acquirer (the bank behind your payment processor) can also bump you to a higher level based on risk factors, so don't assume volume is the only consideration.

Step 2: Create a System of Ongoing Compliance Work

Once you know your classification, you must build the "operating rhythm" that keeps you compliant. This is not a one-time event, but a continuous cycle of three phases: Assess, Remediate, and Report.

TL;DR

Founder’s Summary

Goal: Move from "not compliant" to "audit-ready" through a continuous cycle.

The Loop: You create a system that finds gaps (Assess), fixes them (Remediate), and submits proof (Report).

Key Action: Always “shrink your scope" before fixing things, to save months of work and thousands of dollars.

Assessment Phase: Find where the data lives and what’s broken 

The purpose of the assessment phase is to understand what you're protecting and where the gaps are. This phase establishes your scope (the systems that touch card data), which determines everything that follows. Rush it, and you'll pay for it later.

1. Scope your Cardholder Data Environment (CDE)

Your CDE is every system that touches card data, plus everything connected to those systems. The PCI Security Standards Council recommends assuming everything is in-scope until proven otherwise. Here's what you need to identify:

  • Every system that stores, processes, or transmits cardholder data (your payment servers, databases, applications)
  • "Connected-to" systems: anything with network connectivity to your CDE (that admin workstation on the same VLAN? In scope)
  • "Security-impacting" systems: anything that could affect CDE security if compromised (firewalls, logging servers, authentication systems)
  • Network segmentation status: document whether your CDE is isolated or sitting on a flat network (flat networks dramatically expand scope)

2. Map cardholder data flows

Draw this out. Literally. Data flow diagrams aren't just documentation requirements. They're how you find scope creep before it finds you. Answer these questions:

  • How does card data enter your environment? (Web form, API, phone call, physical terminal)
  • Where does it travel? (Which systems touch it, which networks carry it?)
  • Where is it stored, if anywhere? (Databases, logs, backups, call recordings)
  • How does it exit? (To processor, to acquirer, deleted after authorization)

3. Analyze gaps against applicable requirements

Now compare your current state to what your SAQ requires. Every "no" answer is a gap. Every gap needs a plan.

  • Compare current state to your applicable SAQ requirements (not the full PCI DSS if you qualify for a shorter SAQ)
  • Identify technical gaps: missing encryption, weak access controls, insufficient logging, unpatched systems
  • Identify process gaps: missing policies, no security training, no incident response plan, no vendor management
  • Prioritize by risk (what could cause a breach) and effort (what can you fix quickly). Quick wins build momentum.

4. Verify third-party compliance

Your vendors' compliance gaps become your compliance gaps. Don't skip this.

  • Collect Attestations of Compliance (AOCs) from every service provider who touches card data on your behalf
  • Confirm their compliance actually covers the services they provide you (an AOC for their hosted product doesn't cover custom integrations)

Remediation Phase: Shrink your scope, then fix what remains

Remediation addresses the gaps identified during assessment. The order matters here. Most companies jump straight to implementing controls. Smart companies shrink scope first.

1. Reduce the scope first of all

Before you fix anything, ask: "Can we reduce what needs fixing?" According to Google Cloud's PCI architecture guidance , one should keep narrow scopes. Overscoping leads to broad costs. Through diligent evaluation, one can avoid systems that should not be in-scope. Check for:

  • Network segmentation: Isolate your CDE on its own network segment with strict firewall rules. Everything outside the segment drops out of scope.
  • Tokenization: Replace card numbers with meaningless tokens. Systems that only see tokens are out of scope.
  • Migration to compliant third-party processors: Move card handling to a PCI-compliant provider. You inherit their compliance.
  • P2PE deployment: Point-to-point encryption encrypts card data at the terminal. Your systems never see unencrypted data.

2. Cater technical remediations

Now implement the technical controls your SAQ requires. Common items:

  • Firewall configuration and rule review: Default deny, explicit allows only for required traffic
  • Encryption implementation: TLS 1.2+ for data in transit, AES-256 for data at rest
  • Access control: PCI DSS 4.0 requires MFA for all CDE access, not just remote
  • Logging and monitoring setup: Centralized logging, real-time alerting, audit trails for all access
  • Vulnerability scanning configuration: Internal and external scans, automated and scheduled
  • Penetration testing: Required annually and after significant changes for most SAQ types

3. Implement process remediations

Technical controls aren't enough. PCI compliance requires documented processes and trained people.

  • Policy development: Information security policy, acceptable use policy, access control policy, change management policy
  • Incident response plan creation: Documented procedures for detecting, responding to, and recovering from security incidents
  • Security awareness training program: Annual training for all staff, with records of completion
  • Vendor management procedures: Process for evaluating and monitoring third-party security

4. Create documentation along

Evidence is the currency of compliance. Document as you go, not after.

  • Document all controls implemented with screenshots, configuration exports, and timestamps
  • Maintain evidence for each requirement: auditors will ask for proof, not promises
  • Keep policies and procedures current: outdated documentation is a finding

Reporting Phase: Prove the work, then keep proving it

The reporting phase validates and documents your compliance status. This is where you prove everything you've done actually meets requirements.

1. Complete your assessment

2. Sign Attestation of Compliance (AOC)
  • Formal declaration that you've completed assessment and met applicable requirements
  • Must be signed by an executive officer (for SAQ) or QSA (for ROC)

3. Conduct quarterly ASV scans
  • External vulnerability scans by an Approved Scanning Vendor (ASV) are required quarterly
  • Scans must pass: no high-severity vulnerabilities on internet-facing systems

4. Submit documentation
  • Send SAQ (or ROC) + AOC + ASV scan reports to your acquirer
  • Card brands may have additional submission requirements depending on your level and history

5. Maintain ongoing compliance

Compliance isn't a finish line. It's an operating rhythm. This system you created needs to keep running properly so that the answer to the question, “are you handling card data properly?” is always YES.

  • This cycle repeats continuously, with annual reassessment required
  • Annual reassessment required: full SAQ or ROC every 12 months
  • Re-assess after significant changes: new payment methods, major infrastructure changes, acquisitions

Step 3: Proving it to the auditor

Your ongoing compliance work is what you do. Formal validation is what happens to it. When you submit your SAQ or undergo a QSA audit, assessors step in to verify the system you've created actually works.

This isn't a separate track running parallel to your ongoing work. It's what happens inside the Report phase when an external party steps in to verify your compliance.

Step What Happens Who Does It
Scoping Verify all systems handling card data are identified and included You: SAQ
QSA: ROC
Sampling For large environments, select representative systems to test in detail QSA (for ROC only)
Compensating Controls Document and validate alternative controls when you can't meet a requirement exactly You document, QSA validates
Reporting Complete and submit required documentation to acquirer You submit
Clarifications Respond to questions from acquirer or card brands You respond as needed

Roadmap of PCI compliance process

For a startup with modern cloud infrastructure, no legacy systems, and willingness to move fast, here's what a realistic timeline looks like. SAQ A through SAQ C scenarios typically take 8-10 weeks. SAQ D with a large environment? Double or triple it. Level 1 requiring a QSA audit? Add scheduling delays and more extensive evidence collection. But the sequence stays the same.

Operationalizing the sequence: Classify, shrink, and handle

PCI compliance can feel overwhelming because it's often presented as a wall of requirements. It's not. It's a sequence: classify yourself, shrink your scope, handle what remains. That sequence, executed with discipline, turns a months-long slog into a weeks-long sprint, especially with tools like Delve that were built for this exact process.

TechCrunch

21-year-old MIT dropouts raise $32M at $300M valuation led by Insight

Delve gets $32 million from Insight Partners to scale its platform that automates regulatory compliance with AI agents.
Read More
Read More
Feb 6, 2026

SOC 2 vs ISO 27001: The Differences

The majority of B2B companies must be compliant with current security standards. See how SOC 2 and ISO 27001 play into your company's credibility.
Omair Manzoor
Chief Hacker at ioSENTRIX
Feb 6, 2026

Complete Process of PCI Compliance (2026 Guide)

Learn the 3-step process of PCI compliance: assess, remediate, and report. Discover how to manage ongoing work and formal validation to protect your cardholder data environment efficiently.
Shane Peden
Partner, Risk Advisory & Assurance Services at Aprio
Jan 30, 2026

What is a SOC 2 Report

A SOC 2 report is a document that proves a service provider’s compliance with data security standards. Find out how you can achieve SOC 2 compliance.
Anthony Garcia
Co-Founder and CTO, Network Right

Don't let manual compliance slow you down.

With Delve, companies prove compliance faster, close deals quicker, and stay compliant as they scale.
Book a Demo
Book a Demo
Abstract gradient background with vertical rectangular segments blending from teal on the left to dark, then orange on the right.

How to build and run a billboard campaign

Dark gradient background transitioning from warm brown tones on the left to cooler blue tones on the right.

In fall of 2025 for a period of three months, Delve ran one of the largest out-of-home campaigns of all time to make a splash for our brand and make sure everybody in the city of San Francisco, New York City, and Austin knows who we are. We learned a ton throughout the process, and we want to share every mistake, every learning, and every success to demystify the out-of-home channel.

Billboard advertising, or as it's called in the industry, out-of-home advertising, is any advertising that somebody has to go outside of their home to see (in contrast to other formats of paid media like newsletters, ads, TV, or radio). Here is our comprehensive guide on how to plan for an out-of-home campaign, execute on it, and analyze how much of an impact it had.

Abstract blurred background with gradient colors transitioning from teal to black and orange.
Download our OOH planning template and guidebook
We've received your information and you'll receive the materials via email shortly!
Oops! Something went wrong while submitting the form.

Planning

This is some text inside of a div block.
Date
1
min read

When is the right time for OOH?

Out-of-home is how you make a brand splash. It's a we’ve-arrived statement. The only right time to do that is when you have achieved a moderate degree of PMF, you have steady lead flow, a strong pre-existing pipeline that is heavily driven by word-of-mouth, and stable processes. When you’re ready to punch past a certain number of leads, revenue, or make a massive announcement, that’s the time to go out of home.

Those hallmarks usually are seen after the Series A (or whatever the current fundraising environment is in SF :) or a company-changing product release that you’re ready to bet it all on.

Keep in mind that OOH is an expensive and top-of-funnel strategy, so your average annual contract size should be able to support the cost of putting this on. If we think about attribution purely in the sense of pipeline and closed won:

OOH Campaign ACV Contracts Closed (Attr. OOH)
$500,000 $5,000 100
$1,000,000 $5,000 200
$1,500,000 $5,000 300
$2,000,000 $5,000 400

This is a crude analysis, but you get the idea. Make sure you can sell enough (even on a multi-touch attribution model) to justify the spend.

How much should I budget?

The cardinal saying is “Go big or don’t go out of home.” Out-of-home is not a channel to try a small spend of $50k and see how it goes. Out-of-home only succeeds when you create a sense of omnipresence, a moment where you take over and everywhere prospects go, all they see is you.

Text saying 'Go big or don’t go out of home' over a gradient background blending dark blue, orange, and light beige colors.

Kasper Koczab, the Head of OOH Media at Brex puts it like this:

I often talk to founders who want to “test” OOH by booking a single billboard and seeing how it performs. That’s not how this medium works.

If you’re confident in your product and you know where your prospects live, work, and play, the most effective strategy is to create a sense of omnipresence. It’s not enough to reach your ICP on their commute — your message should be there when she’s walking her dog or taking her kids to soccer practice, too. Frequency matters.

In a first-time out-of-home campaign, it’s all about frequency. You need to be everywhere, all the time, so they can’t escape you. Managers who want to champion your product will feel more confident when they know their VP has seen your bus ad. Top-tier recruits will feel much more excited knowing that the company offering them has their name plastered all over the city. There’s a part of the human psyche that thinks “if this startup can afford this and pull it off, they must be legit.”

Once you define exactly what your goals are, how big of a reach you want, and who you’re trying to sell to, you’ll be able to compare your goals to the cost of media. Towards the back-end of 2025, media prices are at an all-time high with a frothy AI marketplace and well-funded startups taking over almost every available media. In a congested space, you’ll need even more dollars to stand out.

A good framework is:

  1. Why do we want to do this?
    1. We want to do a massive splash and announce our product, recruiting, etc.
  2. How long will it take to accomplish that goal?
    1. We estimate 2-3 mo of omnipresence will help us accomplish that
  3. If we had to pick one city where our prospects are mostly concentrated, where would it be?
    1. San Francisco, New York, Los Angeles, etc.

Great! Now we know we want to do a 2-3 month campaign in SF. To pull that off, we’d likely need a set of 40-50 panels, an anchor placement on a major highway, and a set of bus wraps. Total spend = $750,000.

Man with a beard and traditional cap drawing a flowchart on a transparent board with two blurred people watching.
Four men standing around a table with printed materials and a laptop in a modern office with large windows.

How Far in Advance Should You Plan and Book OOH?

Start planning early. Ideally, begin the process a few months in advance of when you want your ads to go live. Popular billboard locations and transit media can book up quickly, so you need lead time to secure the spots you want.

A good rule is to book 3-6 months ahead for high-demand markets or premium locations. For example, Times Square billboards in NYC might even require 6+ months lead time, and Los Angeles’ Sunset Strip or SF’s 101 freeway boards can be reserved several months out (especially around major events). In Austin, if you want coverage during SXSW, you’d better be talking to vendors at least 3+ months before the festival.

Besides reserving the inventory, you also need time for creative production. Designing the ads, iterating on copy, getting approvals, and then printing physical posters or vinyl (if not digital) all add time. If you’re starting from scratch, imagine that before that you’ll also go through brand-building sessions with your team, creatives design, multiple (up to 20!) rounds of feedback, and then finally arrive on something the team is aligned with.

If you’re on a tighter timeline, you may still find last-minute opportunities (sometimes unsold digital billboard slots can be nabbed weeks or even days before, at a discount). But generally, to get the locations and dates you want, earlier is better.

For example, say you’re targeting a product launch in September. You’d want to begin planning by early summer, confirm your media buys by mid-summer, and have creative finalized and in production by August so the ads can be installed on time. Some smaller formats like bus shelters might have shorter lead times than giant billboards, but just play it safe.

We started the process in April for an August 11th deployment, about 4 months out. This still made things incredibly tight.

Back into it like so:

Flight Date (Launch) → When your campaign goes live.

4 weeks before → Final creatives are due.

8 weeks before creatives are due → Creative design and production begin.

8 weeks before creative prep → Media planning and vendor selection start.

That puts you square at 5 months.

We’ve put together some great tracking spreadsheet templates to show you how to Gantt this all out. Download our guidebook at right to get access.

Execution

This is some text inside of a div block.
Date
1
min read

What is a good time of year to do this?

This is highly industry-dependent. If we look at the year:

Q1: Reset and Re-Acceleration

Teams return from holidays energized, focused on executing annual plans and budgets. It’s prime time for B2B: decision-makers are back, budgets are open, and industry kickoffs like CES drive high audience concentration. Finance and accounting tools benefit from tax season, while consumer brands face the post-holiday “slump” except in fitness and self-improvement. Cold, wet weather means more drive-time and delivery ad exposure, less walking traffic.

Q2: Spring Surge

Conference season peaks (RSA, SaaStr, Collision), boosting opportunities for geo-targeted OOH near airports and venues. Warmer weather brings foot traffic back and hybrid work stabilizes. As teams race to close H1 targets, quick-win B2B products perform well. College graduations fuel hiring and employer-brand campaigns.

Q3: Summer Slowdown → Autumn Gold

Mid-summer is quiet: decision-makers and investors vacation, buying stalls, and morale-driven campaigns see lower engagement. Exceptions: travel, beverage, and leisure brands. We chose early September through early November as the strongest OOH window of the year where B2B spending restarts, the weather’s ideal, and major conferences (Dreamforce, Inbound, Disrupt, etc.) cluster. It’s the moment to drive pipeline and capture leftover budgets before holiday freezes.

Q4: Holiday Wind-Down

After mid-November, corporate attention shifts to holidays and fiscal wrap-ups; B2B conversions dip. Consumer and retail campaigns thrive between Black Friday and Christmas, while enterprise deals largely pause until January.

Who are the major operators of OOH media?

Diagram showing Clear Channel Outdoor (CCO) in the center connected to four smaller circles labeled Lamar, JC Decaux, Intersection, and Outfront.

Across the United States, there’s about a set of major operators that run all of OOH media. The 3 most important are:

  1. Clear Channel Outdoor (CCO)
    1. Across the US, CCO owns about 40,000 billboards. In San Francisco, Clear Channel owns the transit shelters, a lot of very high quality premiere panels/billboards in the city and along the Skyway/US 101, and Muni platforms.
  2. Outfront
    1. Outfront similarly owns about 40,000 billboard across the US. In San Francisco, Outfront owns the BART, CalTrain, and MUNI stations (Embarcadero, Montgomery, Powell, etc.) as well as many excellent billboards on the highways and in the cities. They also own the NYC city subway cars, the stations, and many incredible placements all over the New York.
  3. Lamar
    1. Lamar is by far the largest operator, owning over 116,000 billboard faces all over the US. They have a good selection across many metros, but we did not contract with Lamar as most of their high-profile units were taken.

Collectively, these three own about ~250,000 of the estimated 400,000 billboard faces in the US, or about 62%.

Additional notable vendors include:

  1. Intersection
    1. In San Francisco, they own the entire SFMTA - so all types of bus advertising goes through them. Full bus wraps, bus headliners or kongs, or even half-wraps.
  2. JC Decaux
    1. Most of San Francisco’s street furniture is owned by JCD. This includes information kiosks/pillars that create an impact directly on the passerby. Units are usually sold in packages - for example JCD’s Moscone center street furniture package has 10 information kiosks that directly target the Moscone center.

Capital Outdoors, Reagan Outdoors, Silvercast, and a few others make up the rest of the landscape of out-of-home.

What are the different types of media? What should I get?

1. Bulletins/Billboards

These are the classic large-format displays you see along highways, rooftops, or major city arteries.

  • Use for: Big brand moments, awareness plays, or category leadership statements.
  • Strengths: Huge reach, high prestige, long dwell time on highways.
  • Weaknesses: Expensive in Tier 1 cities; limited flexibility once installed.

(Examples: US-101 and I-280 corridors in SF, the Sunset Strip in LA, Times Square in NYC.)

Crown jewel pieces in a campaign - any major bulletin on the way up or down from SFO will generate the highest quality impressions and capture everyone. Anchor pieces like these really tie campaigns together.

Billboard reading 'Today, compliance is done in days, not months. It's done in Delve. Delve.co' against a clear blue sky and urban backdrop.

2. Premiere Panels & Wallscapes

High-impact, high-traffic urban billboards placed at major intersections, bridges, or downtown walls.

  • Use for: Company launches, investor signaling, or head-turning creative campaigns.
  • Strengths: Prime city visibility, often photographed and shared on social media.
  • Weaknesses: Limited inventory; typically booked months in advance.

(Examples: City-32 premiere panel network,SoMa wall murals, NYC SoHo wallscapes.)

Workhorse units. These target your ICP when they are out for dinner, going to watch a game, picking up their kids from school. Pick them carefully.

Two stacked billboards on a building with text about compliance audits and colonoscopy prep, advertising Delve.co.

3. Street Furniture

Includes transit shelters, bus stops, benches, and public kiosks. Managed by JC Decaux, ClearChannel, others.

  • Use for: City-wide brand saturation and repetition.
  • Strengths: High pedestrian frequency, affordable packages, consistent daily visibility.
  • Weaknesses: Smaller format means your creative must be ultra-simple and bold.

(Example: JC Decaux’s Moscone Center package with 10 information kiosks, CCO’s 3rd St Triptychs targeting YC.)

Great for specific targeting of particular accounts or geographies and for creating a consistent sense of your brand on the streets.

Bus stop ad for Delve.co stating compliance is done before your co-founder drops a 'what B2B SaaS taught me' post, with the tagline 'It's done in Delve.'

4. Transit Advertising

Bus wraps, train station takeovers, subway car interiors, and airport displays.

  • Use for: Targeting commuters and travelers, especially in major metros.
  • Strengths: Excellent for frequency and brand recall; high engagement for mobile users.
  • Weaknesses: Creative must adapt to motion and varying environments.

(Examples: Station dominations via Outfront; full-bus wraps via Intersection, bus shelters via CCO.)

This make sense when some set of your ICP commutes in from suburbs or uses the subway regularly - like enterprise middle management. If you’ve coordinated during conferences, you’ll get some additional exposure from public transit enthusiasts.

A public transit bus with advertisements for Delve.co, displaying messages about compliance and clean air vehicles.
View of a train station platform with a white and red train, a person in a yellow safety vest standing at the open door, a man walking on the platform, and large advertisements on the walls featuring compliance-related slogans.

5. Digital OOH (DOOH)

LED or LCD billboards that can rotate creatives dynamically or be updated programmatically.

  • Use for: Time-sensitive campaigns, A/B testing, or creative experimentation.
  • Strengths: Flexible, measurable (via impression tracking), and visually striking.
  • Weaknesses: Limited premium placements; shorter dwell time than static boards.

(Examples: Subway station liveboards via CCO/Outfront that play your ad in a fixed set )

Digital boards are usually cherry-on-top for a larger static campaign and then used in subsequent campaigns when people are mildly aware of your brand and you’re looking for consistent performance. Since your Share of Voice is already >10% in this media, you’re not yielding as much value.

Three vertical digital screens on a wall display a message: 'Today, compliance is done in Delve.' with the Delve.co logo.

Your ideal campaign should bring all these media types together under one package to create the sense of omnipresence in the city.

How should I start putting my campaign together?

When thinking about putting a campaign together, you first want to nail down your goals. Ask yourself these questions in an exercise:

  1. Why exactly are you doing this?
    1. What do you really care about? Are you viewing this as a pure brand play?
  2. Who are you selling to? Who is the exact ICP? Who are the stakeholders?
    1. Don’t try to sell to too many people in one campaign. Be very specific
  3. What are we trying to convey about our brand?
    1. What are we selling? Can we convey it simply and distinctly? Can we avoid becoming beige?

Once you’ve asked yourself these hard questions - and they can change - you’re ready to go to the whiteboard and start figuring out what you want. Research your audience’s physical world habits. Unlike online ads, OOH success depends on placing messages in the real locations your targets frequent. Map out where they live, work, commute, and congregate. If you’re aiming at, say, startup founders in the Bay Area, concentrate on high-density tech corridors (e.g. SOMA, Market Street, Caltrain routes) and highways like the 101 that they drive on. Stych famously did exactly this, plotting out commuting routes and conference venues in SF, then selecting billboard and transit ad locations near those hotspots to maximize impressions among their audience

Delve did something very similar when starting our campaign. We pulled all of our customer addresses from Docusign contracts and plotted them into a map. We also aggregated in data from larger partners to figure out where prospective customers from our Dream 100 (top 100 clients we’d like to sign) are as well. We’d recently run a massive physical marketing campaign, so we had some other address data on hand. We plugged all that into kepler.gl to figure out exactly where we wanted to focus our efforts:

Heatmap of San Francisco showing high-intensity data points concentrated in downtown and eastern neighborhoods.

Who else is involved in an OOH Campaign?

Diagram listing parties involved in an OOH campaign: Media Operators, Media Buying Agency/Broker, Creative Designers/Agency, Marketing/Growth Team (Internal) on an orange gradient background.

Running an OOH campaign is a team effort that involves both external partners and your internal team. Key players include:

  • Media Operators: These are the companies who own the billboards, transit ads, bus benches, etc., such as Lamar, Outfront Media, Clear Channel, and local vendors. They provide the inventory and handle installation. You can work with them directly if you’re experienced, but if it’s your first time - find a broker that can take care of this for you. The operator’s job is to lease you the ad space and ensure your creative goes up on schedule.
  • Media Buying Agency/Broker: As mentioned earlier, a specialized OOH agency or media broker can plan and negotiate the buy on your behalf They interface with all the operators (so you don’t have to individually call Lamar, Outfront, etc.), get quotes, and secure the best locations within your budget. They also handle a lot of logistics. For a first campaign, having an experienced media buyer is a huge help – they know the landscape and can advise on format mix, flight duration, and fair pricing. Their fee or commission is usually baked into the buy (often a percentage), but a good broker often pays for themselves by stretching your dollars further.
    • For our campaign, we worked with Kasper Koczab, Head of OOH Media at Brex. His understanding of OOH all over the country is unmatched and he was able to help us navigate the complexities of media and secure a really solid package.
  • Creative Designers/Agency: You’ll need someone to design the actual ads – the visuals and copy that go on the billboard or poster. This could be your in-house design team if you have one (as many startups do), or an external creative agency or freelancer. Some brands use their general creative agency; others hire specialists who understand OOH design principles.
    • If you’re doing multiple formats (billboards, bus wraps, etc.), designers will need to adapt the creative to various specs and formats
    • Pro tip: There’s so many moving parts to a large campaign, that having an experienced team that knows the ad format, the production specs, and can keep you on top of all the details can make life way easier and potentially save $10,000’s in lost media.
    • We worked with Josh and the team at Division of Labor to put our campaign together. They helped us run through multiple design reviews, settle on our brand and visual identity, and caution us through many potential pitfalls.
  • Marketing/Growth Team (Internal): Within your startup, your marketing and growth team will quarterback the campaign and work with everyone above. Be prepared for some cross-functional input, for instance, leadership might want to review the billboard messaging, or sales might chime in with an opinion. Align stakeholders early so you can move quickly on execution.

How do you think about copy?

All of marketing is about standing out. How can you be really different? Billboards offer you the opportunity to be among the top 1% of companies that make it off the incessantly bombarded screen and get into the real world. Don’t think that gives you the freedom to finally spew product and feature copy all over. Your campaign is won or lost by the words you put on the billboard. Here’s how to approach it:

Be someone. Thousands of companies come out with stock, harmless, slogans cooked up in a boardroom that won’t elicit any response. Larger enterprises care too much about brand integrity to try anything out-of-the-box and already have enough recall. How can you be truly different?

You need out-of-the-box, contextualized ideas that tap into societal and cultural cues. Think about how you can use your brand, your industry keywords to devise copy that makes someone think “Ha! That’s clever.” That’s how you’ll win. It will take time, revision, and work - but it’s the only way to really win.

If your leadership is willing, make your copy or graphics a little controversial. Bland’s “Still hiring humans?” campaign famously generated incredible engagement. Recently, Friend.com took over social media with ads being defaced all over the subway. It’s your prerogative on how far you want to go, but creating an identity is much better than being invisible.

Simplicity is king. The best billboard messages are extremely short, clear, and instantly graspable – think 7 words or fewer as a rule of thumb. Drivers or pedestrians only glance for a few seconds, so you have to communicate one idea fast. This means one simple message or tagline, with text in a huge, high-contrast font so it’s legible from a distance. An industry saying goes “short copy sticks”– and it’s especially true for billboards.

Beyond brevity, out-of-home is all about sparking emotion. If you can elicit a chuckle, an intrigued eyebrow raise, or an “aha” recognition, your ad will be memorable. No one looks at billboards in pursuit of a mathematical challenge. Frankly, they’re pretty annoyed that they're being marketed to all the time. It's your job to make it as funny, as evocative, and as emotion-inducing as possible.

Now, few practical tips and hygiene for copy/design:

  • Contrast and readability: Use large, blocky fonts and strong color contrast (light text on dark background or vice versa). No one should squint to read your ad. Test by printing your design small and see if you can read it from across the room. Product designers often design for small screens, so it’s a conscious adjustment.
  • One theme, one idea, one CTA: Memorable campaigns come together around one unifying theme. You’ll have hundreds of pieces of creative, and you want them all to come together and tell a story, not fight for attention. When someone looks at your media, they should subconsciously feel familiarity with it because it matches the tone and theme. Think about “Just do it” or “Think differently”. Delve’s take on this was “Compliance is done in Delve” - and all the creative came back to this idea.
  • Let visuals help: A striking image or bold and creative graphic breaks up text and makes it fun to look at. Think about motifs and symbols around your brand that you can incorporate. For example, if you’re building something that makes a process faster - create a leaderboard graphic!
  • Test for the “5-second rule”: Imagine a person seeing your ad for 5 seconds or less. Will they get the gist? If not, simplify it. Cut unnecessary words and elements. Many experts literally suggest 7 words, 1 image max for a standard billboard.

In summary: short, bold, and resonant. Your copy should be punchy and easy-to-digest, with a design that grabs attention at a glance. Marry that clarity with a spark, whether humor, emotion, or intrigue that makes people remember it.

Great creative connects on an emotional level, not a rational one. You’re talking to humans — make them laugh, make them excited, make them curious.
Kasper Koczab - Head of OOH Media, Brex

Analysis

This is some text inside of a div block.
Date
1
min read

How Should You Think About Attribution for OOH?

Attribution in OOH is famously fuzzy. Unlike digital ads, you won’t get a precise click-through or conversion rate tied to each billboard, and that’s okay. Physical ads don’t have pixels or UTM tags, so you need to embrace indirect and longer-term metrics. Successful startups view OOH as a brand awareness play that lifts many metrics collectively, rather than a direct response channel.

So how do you gauge if it’s working? There’s 3 main methods we used:

  1. Branded Search Uplift
    1. The industry-standard figure is to anticipate around a 10-20% uplift in branded search.
  2. First-party mentions
    1. In your lead form or in sales calls, track how many times billboards is mentioned as a referral source. We used that to attribute a certain amount of each deal that closed to OOH and built a rough financial model.
  3. CPM
    1. Based on the quoted impressions from your media operators + the social media impressions you generated you can calculate a rough opportunity cost of CPM in this channel vs others. (Not high signal, but good for marketers to have a number.)

Some brands leverage QR codes or short URL’s on transit ads or billboards; just be realistic that not everyone will stop to scan a specific code or URL. It’s much more effective to use that real estate in better ways, when prospects will just type in “[company name]” into Google.

Overall, you’ll have to accept that OOH’s value is largely multi-touch and long-term. It plants seeds in your audience’s mind that may pay off weeks or months later. As one marketing leader said, don’t expect a single “ROAS” number – instead, look for a mix of leading indicators (like branded search uptick, social media buzz, word-of-mouth) and anecdotal evidence that your message is sinking in. If you see those, your OOH is doing its job even if you can’t attribute every dollar of revenue to a specific billboard.

It’s rather important however to look at it from more angles than just pipeline. You’re building brand - and that has value everywhere. You should evaluate:

Graphic showing five labeled layers with connecting lines: Pipeline, Recruitment, Company Morale, Investor Confidence, and Customer Strength.
  1. Pipeline
    1. Ultimately, it’s a business and revenue needs to be generated. More visibility, more credibility, more deals closed.
  2. Recruitment
    1. If pipeline is the gas, recruitment is the driver. The value your talent acquisition team gets from cementing the brand and building credibility with high profile recruits is unmatched. Talk to those teams and see how it’s affecting them!
  3. Company Morale
    1. For your founding team, recent hires, and even the leadership, OOH can feel like a coming-of-age moment for the company. To see your brand amongst Apple, Google, Hubspot and more is a rewarding and uplifting feeling that an expensive offsite can’t match.
  4. Investor Confidence
    1. Investors are some of the biggest fans of OOH campaigns. They love to see their portfolio companies under the spotlight.
  5. Customer Strength
    1. When customers see their startup vendor making it big, it gives them a lot of confidence in your ability to keep winning and solving problems for them. It can help allay churn risk, provide credibility to your internal champions, and help explore more use cases.

Attribution will always be fuzzy in OOH, but if your brand is optimized for this channel, you’ll do well. Don’t sweat it.

With out-of-home advertising, you should make the investment because the logic makes sense. While you should try to get a directional read on OOH impact, you also have to use your best judgment around where your audience is and what message they respond to. Intuition can carry you far in marketing.

- Brandom Camhi, Head of Marketing at Rippling

Sources and Citations

Huge thanks to Reid from Stych for his work on this article that helped us a ton and provided a lot of useful data repurposed in this article. In addition, here were some other helpful articles that we referenced as we put together our billboards campaign and this article:

Abstract blurred background with gradient colors transitioning from teal to black and orange.
Download our OOH planning template and guidebook
We've received your information and you'll receive the materials via email shortly!
Oops! Something went wrong while submitting the form.