With 72% of merchants falling out of compliance shortly after completing a Report on Compliance (Verizon 2020 Payment Security Report), it’s clear that not many merchants have a robust PCI Sustainability Program with compliance procedures and processes built into everyday security activities.

At Payment Card Assessments, we’ve defined 4 levels of PCI DSS maturity. How do you measure up?

Assess Your PCI DSS Compliance Maturity Now

Level 1: Initial

At this level, you’re probably just staring on your PCI DSS Compliance journey or you’re moving from a self-assessment to a mandatory Report on Compliance either because your transaction volume hit the 6 million transaction jackpot or because your acquirer has asked you to complete a Report on Compliance. This is the most painful part of the journey, but like Confucius said, the journey of 1,000 miles begins with the first step.

Level 2: Repeatable

At this stage of maturity, your processes, policies, and standards are documented, planned, performed, monitored and controlled. You may still be managing PCI Compliance at the project level and working towards a more cohesive program. You have a better understanding of the PCI DSS Requirements however, PCI challenges and failures are still something your organization reacts to. 

Level 3: Defined

Your organization is getting there. Operational procedures are documented, followed, and known by all impacted parties. You’re becoming proactive in your approach to PCI and have the capability to begin repeatable processes for gathering PCI evidence throughout the year rather than just at time of audit.

Level 4: Quantitatively Managed

Your organization has an in-depth understanding of critical controls, requirement frequencies, and their impact on other requirements. Your organization has adopted a proactive PCI compliance posture and is better able to respond to controls that fall out of compliance in a timely manner. Your organization has the ability to complete a Report on Compliance effectively and efficiently AND sustain compliance throughout the year.

At this level, your organization has the time to analyze and monitor critical controls and remediate before your organization falls out of compliance or has the ability to get in front of critical issues and inform the QSA and the acquirer of any issues that may go past the Report on Compliance due date. 

Are you curious to see how you stack up with the PCI DSS Compliance Maturity Model?

Take our quick and easy PCI Compliance Maturity Assessment. You’ll receive your results immediately. And if you have any questions or need help with improving your PCI DSS Compliance program, request a call back and we’ll schedule a 30 minute consult!


Discover more from Payment Card Assesments

Subscribe to get the latest posts sent to your email.

4 Smart Ways To Stop Overcomplicating PCI Compliance

You can do PCI Compliance the Smart Way or the Hard Way. Which way do you choose?

You know that saying, “objects appear bigger in the rearview mirror,” right?

When it comes to PCI Compliance, satisfying the requirements often looks bigger the more you stare at them. And when you look at the requirements in isolation, they often look next to impossible to implement. Your brain (and my brain) want to over complicate what needs to be in place to secure the cardholder data environment.

Maybe you jump immediately to implementing the newest shiny security tool without thinking of how it will impact other in scope systems.

Maybe you leap to more complexity by adding layers of security controls and processes when one solid, repeatable process will do.

Or maybe you bury your head in the sand and sing lalalalalalalalalalala….(honestly, there were days I wish I could’ve done that!)

PCI Compliance doesn’t have to be complicated.

Here’s 4 smart ways to stop overcomplicating your PCI Compliance program:

Firewalls and Routers: How to Take Control of Unruly Firewall Rules, Configurations and Network Connections

Best Practice: Developers and system administrators request changes to firewall rule sets all the time. Whether it’s to do work on system components or test system components, these changes can make a mess out of your rule sets. It’s so easy for someone to unintentionally request an “any” rule which is prohibited in the cardholder data environment. Our best advice is to insert your ISA or someone on the compliance team into the firewall rule change review.

Leave a Reply

Discover more from Payment Card Assesments

Subscribe now to keep reading and get access to the full archive.

Continue reading