Assess the Maturity of Your PCI DSS Compliance Program in 15 Minutes or Less!
Similar to a software development maturity model, the Payment Card Assessments PCI DSS Compliance Maturity Model © will help you understand how robust and sustainable your PCI Compliance program is. Along with your business contact information, your responses to the quick and easy survey will be calculated to provide you immediate results based on four levels of maturity: initial, repeatable, defined, and quantitatively managed.

1. Your organization manages and keeps payment card scope current and updated.
Strongly Disagree Disagree Agree Strongly Agree
2. Your organization knows every location where card holder data is stored and the cardholder data flows are clearly defined, current and updated as needed.
Strongly Disagree Disagree Agree Strongly Agree
3. Your organization’s cardholder data environment is properly isolated from the rest of the organization’s network.
Strongly Disagree Disagree Agree Strongly Agree
4. Your organization properly assesses and monitors vendors and partners that will store, process, or transmit cardholder data on your behalf or connect to internal systems that store, process or transmit cardholder data.
Strongly Disagree Disagree Agree Strongly Agree
5. Based on your organization’s current risk assessment, your organization has clearly identified the critical PCI system components that must be routinely monitored.
Strongly Disagree Disagree Agree Strongly Agree
6. Your organization has a clearly defined vulnerability risk ranking process and remediation schedule.
Strongly Disagree Disagree Agree Strongly Agree
7. Your organization has the capability to remediate critical and high risk vulnerabilities on in- scope system components within 30 days.
Strongly Disagree Disagree Agree Strongly Agree
8. Your organization have an informed and engaged PCI Governance Board that meets on a regular basis.
Strongly Disagree Disagree Agree Strongly Agree
9. Your organization has clearly defined change management processes and procedures that include back out procedures and approvals for all changes.
Strongly Disagree Disagree Agree Strongly Agree
10. Your organization has an active information security policy that is known to the entire organization, followed, and updated at least annually.
Strongly Disagree Disagree Agree Strongly Agree
11. Your organization has clearly defined processes and procedures for secure application coding and software development.
Strongly Disagree Disagree Agree Strongly Agree
12. Your organization has clearly defined processes and procedures for identity and access management.
Strongly Disagree Disagree Agree Strongly Agree
13. Your organization has a clearly defined incident response plan in the event of a data breach.
Strongly Disagree Disagree Agree Strongly Agree
14. If your organization stores cardholder data, your organization has clearly defined and separation of duties when it comes to crypto key management processes and procedures.
Strongly Disagree Disagree Agree Strongly Agree
15. Your organization has clearly defined processes and procedures for keeping 90 days of logs locally and retaining logs on all in-scope PCI system components for 12 months.
Strongly Disagree Disagree Agree Strongly Agree
16. Your organization is transparent with your QSA and / or acquirer when it comes to your PCI challenges.
Strongly Disagree Disagree Agree Strongly Agree
17. Your organization has robust security controls in place to identify and alert on key PCI requirements that have gone out of compliance and your organization has appropriate remediation processes and procedures in place in the event of PCI requirement failures.
Strongly Disagree Disagree Agree Strongly Agree
18. In the event of PCI requirement failures, your organization has clearly defined paths of escalation to ensure remediation efforts are given priority.
Strongly Disagree Disagree Agree Strongly Agree
19. Your organization has automated monitoring in place to identify gaps that may occur in key controls.
Strongly Disagree Disagree Agree Strongly Agree
20. Your organization leadership clearly understands their legal and contractual obligation to comply with PCI DSS.
Strongly Disagree Disagree Agree Strongly Agree

PCI Compliance Maturity Assessment