ISO 27001 Maturity Assessment
Evaluate your Information Security Management System against the ISO/IEC 27001:2022 standard.
Learn moreOverview
The PCI DSS Maturity Assessment provides a comprehensive framework for evaluating your organisation's implementation of Payment Card Industry Data Security Standard controls. With 154 questions across 11 domains, this assessment covers all PCI DSS requirements with SAQ-type filtering for organisations of different compliance levels.
Through structured evaluation criteria aligned to PCI DSS v4.0, you will assess your organisation's ability to protect cardholder data across network security, access controls, vulnerability management, monitoring, and information security policy domains.
The assessment employs a maturity-based scoring model to help you understand your current compliance posture, identify control gaps, and develop a prioritised remediation roadmap for QSA audit readiness or SAQ completion.
Who It's For
This assessment is designed for:
- Merchants and service providers processing payment card data
- Organisations preparing for PCI DSS validation assessments
- Payment security managers and compliance officers
- CISOs overseeing cardholder data environments
- Internal audit teams conducting PCI readiness reviews
- QSAs and ISAs preparing clients for formal assessments
Typical Outcomes
Organisations using this assessment typically gain:
- Clear understanding of current PCI DSS compliance maturity
- Identification of specific control gaps requiring remediation
- Prioritised action plan for achieving compliance
- Documentation to support internal compliance reporting
- Baseline for tracking compliance improvements over time
- Structured preparation for QSA or ISA assessments
Assessment Coverage
The assessment comprehensively evaluates PCI DSS across 11 domains:
- Security Governance & Program Management (GPM) — Security policies, programme ownership, and compliance management
- Network Security & Segmentation (NSS) — Firewall configuration, network architecture, and CDE segmentation
- Secure Configuration Management (SCM) — System hardening, default passwords, and configuration standards
- Data Protection & Cryptography (DPC) — Cardholder data storage, transmission security, and key management
- Malware & Endpoint Protection (MEP) — Anti-malware deployment, updates, and endpoint security
- Secure Development & Change Management (SDC) — Secure SDLC, code reviews, and change control
- Access Control & Authorisation (ACA) — Access restriction, need-to-know, and authorisation processes
- Identity & Authentication Management (IAM) — User identification, authentication controls, and MFA
- Physical Security (PHY) — Physical access controls and media handling
- Logging, Monitoring & Detection (LMD) — Audit logging, monitoring, and security event detection
- Security Testing & Vulnerability Management (STV) — Vulnerability scanning, penetration testing, and remediation
SAQ-Type Filtering
The assessment supports SAQ-type filtering to focus on requirements relevant to your validation type:
- SAQ A, A-EP — E-commerce merchants with outsourced payment processing
- SAQ B, B-IP — Merchants with imprint machines or standalone terminals
- SAQ C, C-VT — Merchants with payment applications or virtual terminals
- SAQ D — Merchants and service providers with full requirement scope
Important Disclaimer
This assessment is a self-assessment tool designed to help organisations evaluate their current compliance posture. It does not constitute a formal PCI DSS assessment, validation, or attestation of compliance. Formal PCI DSS compliance validation requires assessment by a Qualified Security Assessor (QSA) or completion of the official Self-Assessment Questionnaire (SAQ) as appropriate for your organisation's merchant or service provider level.