With 72% of merchants falling out of compliance shortly after completing a Report on Compliance (Verizon 2020 Payment Security Report), it’s clear that not many merchants have a robust PCI Sustainability Program with compliance procedures and processes built into everyday security activities.

At Payment Card Assessments, we’ve defined 4 levels of PCI DSS maturity. How do you measure up?

Assess Your PCI DSS Compliance Maturity Now

Level 1: Initial

At this level, you’re probably just staring on your PCI DSS Compliance journey or you’re moving from a self-assessment to a mandatory Report on Compliance either because your transaction volume hit the 6 million transaction jackpot or because your acquirer has asked you to complete a Report on Compliance. This is the most painful part of the journey, but like Confucius said, the journey of 1,000 miles begins with the first step.

Level 2: Repeatable

At this stage of maturity, your processes, policies, and standards are documented, planned, performed, monitored and controlled. You may still be managing PCI Compliance at the project level and working towards a more cohesive program. You have a better understanding of the PCI DSS Requirements however, PCI challenges and failures are still something your organization reacts to. 

Level 3: Defined

Your organization is getting there. Operational procedures are documented, followed, and known by all impacted parties. You’re becoming proactive in your approach to PCI and have the capability to begin repeatable processes for gathering PCI evidence throughout the year rather than just at time of audit.

Level 4: Quantitatively Managed

Your organization has an in-depth understanding of critical controls, requirement frequencies, and their impact on other requirements. Your organization has adopted a proactive PCI compliance posture and is better able to respond to controls that fall out of compliance in a timely manner. Your organization has the ability to complete a Report on Compliance effectively and efficiently AND sustain compliance throughout the year.

At this level, your organization has the time to analyze and monitor critical controls and remediate before your organization falls out of compliance or has the ability to get in front of critical issues and inform the QSA and the acquirer of any issues that may go past the Report on Compliance due date. 

Are you curious to see how you stack up with the PCI DSS Compliance Maturity Model?

Take our quick and easy PCI Compliance Maturity Assessment. You’ll receive your results immediately. And if you have any questions or need help with improving your PCI DSS Compliance program, request a call back and we’ll schedule a 30 minute consult!

5 PCI Compliance Headaches You Can Live Without

If PCI Compliance were easy, every organization would be doing it, right?

But it’s not.

The sad statistic from the most recent Verizon Payment Security Report is that 57% of all merchants fail to sustain PCI DSS Compliance.


There are so many reasons. Where do we start?

Let’s start with the 5 PCI Compliance headaches everyone can live without.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.

%d bloggers like this: