PCI DSS Maturity Assessment

Overview

The PCI DSS Maturity Assessment provides a comprehensive framework for evaluating your organisation's implementation of Payment Card Industry Data Security Standard controls. With 154 questions across 11 domains, this assessment covers all PCI DSS requirements with SAQ-type filtering for organisations of different compliance levels.

Through structured evaluation criteria aligned to PCI DSS v4.0, you will assess your organisation's ability to protect cardholder data across network security, access controls, vulnerability management, monitoring, and information security policy domains.

The assessment employs a maturity-based scoring model to help you understand your current compliance posture, identify control gaps, and develop a prioritised remediation roadmap for QSA audit readiness or SAQ completion.

Who It's For

This assessment is designed for:

• Merchants and service providers processing payment card data
• Organisations preparing for PCI DSS validation assessments
• Payment security managers and compliance officers
• CISOs overseeing cardholder data environments
• Internal audit teams conducting PCI readiness reviews
• QSAs and ISAs preparing clients for formal assessments

Typical Outcomes

Organisations using this assessment typically gain:

• Clear understanding of current PCI DSS compliance maturity
• Identification of specific control gaps requiring remediation
• Prioritised action plan for achieving compliance
• Documentation to support internal compliance reporting
• Baseline for tracking compliance improvements over time
• Structured preparation for QSA or ISA assessments

Assessment Coverage

The assessment comprehensively evaluates PCI DSS across 11 domains:

• Security Governance & Program Management (GPM) — Security policies, programme ownership, and compliance management
• Network Security & Segmentation (NSS) — Firewall configuration, network architecture, and CDE segmentation
• Secure Configuration Management (SCM) — System hardening, default passwords, and configuration standards
• Data Protection & Cryptography (DPC) — Cardholder data storage, transmission security, and key management
• Malware & Endpoint Protection (MEP) — Anti-malware deployment, updates, and endpoint security
• Secure Development & Change Management (SDC) — Secure SDLC, code reviews, and change control
• Access Control & Authorisation (ACA) — Access restriction, need-to-know, and authorisation processes
• Identity & Authentication Management (IAM) — User identification, authentication controls, and MFA
• Physical Security (PHY) — Physical access controls and media handling
• Logging, Monitoring & Detection (LMD) — Audit logging, monitoring, and security event detection
• Security Testing & Vulnerability Management (STV) — Vulnerability scanning, penetration testing, and remediation

SAQ-Type Filtering

The assessment supports SAQ-type filtering to focus on requirements relevant to your validation type:

• SAQ A, A-EP — E-commerce merchants with outsourced payment processing
• SAQ B, B-IP — Merchants with imprint machines or standalone terminals
• SAQ C, C-VT — Merchants with payment applications or virtual terminals
• SAQ D — Merchants and service providers with full requirement scope