With 72% of merchants falling out of compliance shortly after completing a Report on Compliance (Verizon 2020 Payment Security Report), it’s clear that not many merchants have a robust PCI Sustainability Program with compliance procedures and processes built into everyday security activities.
At Payment Card Assessments, we’ve defined 4 levels of PCI DSS maturity. How do you measure up?
Level 1: Initial
At this level, you’re probably just staring on your PCI DSS Compliance journey or you’re moving from a self-assessment to a mandatory Report on Compliance either because your transaction volume hit the 6 million transaction jackpot or because your acquirer has asked you to complete a Report on Compliance. This is the most painful part of the journey, but like Confucius said, the journey of 1,000 miles begins with the first step.
Level 2: Repeatable
At this stage of maturity, your processes, policies, and standards are documented, planned, performed, monitored and controlled. You may still be managing PCI Compliance at the project level and working towards a more cohesive program. You have a better understanding of the PCI DSS Requirements however, PCI challenges and failures are still something your organization reacts to.
Level 3: Defined
Your organization is getting there. Operational procedures are documented, followed, and known by all impacted parties. You’re becoming proactive in your approach to PCI and have the capability to begin repeatable processes for gathering PCI evidence throughout the year rather than just at time of audit.
Level 4: Quantitatively Managed
Your organization has an in-depth understanding of critical controls, requirement frequencies, and their impact on other requirements. Your organization has adopted a proactive PCI compliance posture and is better able to respond to controls that fall out of compliance in a timely manner. Your organization has the ability to complete a Report on Compliance effectively and efficiently AND sustain compliance throughout the year.
At this level, your organization has the time to analyze and monitor critical controls and remediate before your organization falls out of compliance or has the ability to get in front of critical issues and inform the QSA and the acquirer of any issues that may go past the Report on Compliance due date.
Are you curious to see how you stack up with the PCI DSS Compliance Maturity Model?
Take our quick and easy PCI Compliance Maturity Assessment. You’ll receive your results immediately. And if you have any questions or need help with improving your PCI DSS Compliance program, request a call back and we’ll schedule a 30 minute consult!