PCI DSS Assessment SOP

Standard Operating Procedure for Payment Card Industry Data Security Standard assessments

Service Pillar: Protect Service Category: Compliance Gap Assessment Target Duration: 3-4 weeks Related Pricing: See Pricing & Positioning

---

Service Overview

Purpose

Conduct comprehensive PCI DSS gap assessments evaluating organization controls against PCI DSS v4.0 requirements, preparing merchants and service providers for successful compliance validation.

Target Personas

Persona	Primary Pain Point	Value Case
CFO/Controller	Payment processing requirements, compliance costs	Maintain payment processing capability
Service Business Owner	Customer payment protection, brand reputation	Customer trust and card acceptance
Solo IT Director	Complex technical requirements, limited resources	Expert guidance through compliance

Business Justification

Metric	Value	Source
Average cost of payment card data breach	$4.62 million	IBM Cost of a Data Breach 2024
Non-compliance fine range	$5,000-$100,000/month	PCI SSC Enforcement
Merchants experiencing card fraud	30% of all businesses	Nilson Report 2024
Global card fraud losses	$33 billion annually	Nilson Report 2024
PCI DSS v4.0 requirements	12 requirements, 250+ controls	PCI DSS v4.0

---

Pricing Reference

Tier	Scope	Price Range	Duration
SAQ-Based	Self-assessment questionnaire preparation	$8,000-$15,000	2-3 weeks
Standard	Level 2-4 merchant, moderate complexity	$20,000-$30,000	3-4 weeks
Complex	Level 1 merchant, service provider	$30,000-$50,000	4-6 weeks

See Pricing & Positioning for complete pricing structure.

---

Pre-Engagement

Qualification Checklist

• Merchant level determined
• Current PCI DSS compliance status known
• Cardholder data environment (CDE) boundaries understood
• Payment processing method documented
• Previous assessment results available
• Acquiring bank requirements identified

Required Information Gathering

Category	Documents Needed
Payment	Merchant level, transaction volumes, payment processors
Technical	Network diagrams, CDE boundaries, system inventory
Documentation	Existing policies, previous AOC/SAQ, scan reports
Vendor	Third-party service providers, P2PE solutions
Compliance	Acquiring bank requirements, previous findings

Merchant Level Determination

Level	Annual Transactions	Validation Requirement
Level 1	>6 million	Annual QSA assessment + quarterly ASV scans
Level 2	1-6 million	Annual SAQ + quarterly ASV scans
Level 3	20,000-1 million (e-commerce)	Annual SAQ + quarterly ASV scans
Level 4	<20,000 (e-commerce) or <1 million	Annual SAQ, ASV scans recommended

---

PCI DSS v4.0 Framework

Requirements Overview

Requirement	Title	Focus Areas
1	Install and maintain network security controls	Firewalls, network segmentation
2	Apply secure configurations	System hardening, vendor defaults
3	Protect stored account data	Encryption, key management, storage
4	Protect cardholder data with strong cryptography	Transmission encryption
5	Protect all systems from malware	Anti-malware, security software
6	Develop and maintain secure systems	Secure development, patching
7	Restrict access to system components	Need-to-know, least privilege
8	Identify users and authenticate access	MFA, password policies
9	Restrict physical access	Facility security, media handling
10	Log and monitor access	Logging, audit trails, monitoring
11	Test security regularly	Vulnerability scans, penetration tests
12	Support security with organizational policies	Policies, risk assessment, awareness

PCI DSS v4.0 Key Changes

Area	Change	Deadline
Customized approach	Alternative to defined approach	March 2024
MFA requirements	Expanded MFA for CDE access	March 2025
Targeted risk analysis	Required for flexible requirements	March 2025
Authentication requirements	Increased password length (12+ chars)	March 2025
Automated technical solutions	Phishing protections, change detection	March 2025

---

Assessment Process

Phase 1: Scoping and Discovery (Days 1-5)

Objective: Define CDE boundaries and assessment scope

Activity	Deliverable	Duration
Kickoff meeting	Aligned expectations	0.5 day
CDE identification	CDE inventory	1.5 days
Data flow mapping	Payment flow diagram	1 day
Scope reduction analysis	Scope reduction opportunities	1 day
SAQ determination	Applicable SAQ type	0.5 day

CDE Scoping Activities

Activity	Purpose
Payment channel review	All card acceptance methods
Data flow analysis	CHD storage, processing, transmission
Network segmentation	CDE isolation from other networks
Third-party identification	Service providers in scope
P2PE/PCI solutions	Scope reduction technologies

Phase 2: Documentation Assessment (Days 5-10)

Objective: Evaluate policies and procedures

Activity	Deliverable	Duration
Policy review	Policy gap matrix	2 days
Procedure assessment	Procedure gap analysis	2 days
Risk assessment review	PCI risk assessment status	0.5 day
Training review	Awareness program evaluation	0.5 day

Required Documentation

Document	PCI Requirement
Information security policy	Requirement 12
Network diagrams	Requirements 1, 11
Data flow diagrams	Requirement 3, 4
Incident response plan	Requirement 12.10
Security awareness program	Requirement 12.6
Change management procedures	Requirement 6
Access control policies	Requirements 7, 8
Vendor management program	Requirement 12.8

Phase 3: Technical Assessment (Days 10-18)

Objective: Validate technical control implementation

Activity	Deliverable	Duration
Network security review	Firewall/segmentation findings	2 days
Configuration assessment	Hardening validation	2 days
Encryption validation	Data protection findings	1.5 days
Access control testing	Authentication findings	1.5 days
Logging and monitoring	Audit trail review	1 day

Technical Validation Areas

Control Area	Validation Methods
Firewall rules	Rule review, segmentation testing
System hardening	Configuration standards compliance
Encryption	TLS configuration, key management
Authentication	MFA implementation, password policies
Logging	Log configuration, retention, protection
Vulnerability scanning	ASV scan review, internal scan process
Penetration testing	Test report review, methodology validation

Phase 4: Gap Analysis and Reporting (Days 16-22)

Objective: Document findings and remediation roadmap

Activity	Deliverable	Duration
Finding consolidation	Comprehensive gap matrix	1 day
Remediation prioritization	Priority matrix	1 day
Roadmap development	Implementation timeline	2 days
Report drafting	Draft assessment	2 days
Final delivery	Complete gap assessment	1 day

---

SAQ Determination Guide

SAQ Types

SAQ	Card-Present	Card-Not-Present	Outsourced	Typical Merchant
A	No	Yes	Fully	Web redirect only
A-EP	No	Yes	Partially	E-commerce with some processing
B	Yes	No	N/A	Imprint/dial-out terminal only
B-IP	Yes	No	N/A	IP-connected terminal only
C	Yes	No	N/A	Payment application systems
C-VT	Yes	No	Partially	Virtual terminal only
D	Any	Any	Any	All others
P2PE	Yes	No	N/A	Validated P2PE solution

Scope Reduction Strategies

Strategy	Reduction Impact	Considerations
P2PE	Significant	Validated solution required
Tokenization	Moderate	Token vault security
Network segmentation	Moderate	Proper implementation critical
Outsourcing	Variable	Vendor PCI compliance required
SAQ eligibility	Significant	Limited payment scenarios

---

Deliverables

PCI DSS Gap Assessment Report

Structure:

1. Executive Summary
2. Assessment scope and approach
3. Compliance readiness score
4. Critical gaps identified

5. Investment requirements

6. Scope Definition

7. CDE boundaries
8. Payment channels
9. Third-party service providers

10. Applicable SAQ or full assessment

11. Requirement-by-Requirement Assessment

12. All 12 requirements evaluated
13. Sub-requirements assessment
14. Implementation status

15. Gap identification

16. Technical Findings

17. Network security gaps
18. Configuration weaknesses
19. Encryption issues

20. Access control findings

21. Remediation Roadmap

22. Prioritized action items
23. Resource estimates
24. Timeline to compliance
25. Quick wins identified

Supporting Materials

Material	Purpose
SAQ preparation guide	Self-assessment assistance
Policy templates	Address documentation gaps
ASV scan guidance	Quarterly scan preparation
Scope reduction analysis	Options to reduce compliance burden

---

Compliance Pathway

Timeline to Compliance

Phase	Duration	Activities
Gap Assessment	3-4 weeks	This engagement
Remediation	2-6 months	Control implementation
ASV Scanning	Ongoing	Quarterly external scans
SAQ/Assessment	2-4 weeks	Formal validation
Submission	1 week	AOC to acquiring bank

Annual Compliance Requirements

Activity	Frequency	Requirement
SAQ/Assessment	Annual	All levels
ASV Vulnerability Scan	Quarterly	Passing scan required
Internal Vulnerability Scan	Quarterly	Per Requirement 11
Penetration Test	Annual	Requirement 11.4
Security Awareness Training	Annual	Requirement 12.6
Risk Assessment	Annual	Requirement 12.3

---

Quality Assurance

Internal Review Checklist

• All 12 requirements assessed
• CDE scope accurately defined
• SAQ type properly determined
• Technical findings validated
• Remediation timeline realistic
• Scope reduction opportunities identified
• Third-party requirements addressed

Client Review Process

1. Draft report delivery
2. 5 business day review period
3. Questions/clarifications call
4. Final report delivery
5. Remediation planning session

---

Post-Delivery

Remediation Support Options

Option	Scope	Investment
Self-Remediation	Report + templates only	Included
Guided Remediation	Monthly check-ins, Q&A	$3,000-$5,000/month
Full Remediation	Hands-on implementation	Custom scoping

Ongoing Compliance Services

Service	Description
Quarterly ASV coordination	Manage ASV scanning process
Annual SAQ preparation	SAQ completion assistance
Penetration testing	Annual requirement 11.4 testing
Security awareness	PCI-focused training program

---

Related Services

Service	Connection	SOP Reference
Penetration Testing	PCI Requirement 11.4	pentest-sop.md
Security Awareness Training	PCI Requirement 12.6	security-training-sop.md
Risk Assessment	PCI Requirement 12.3	risk-assessment-sop.md
vCISO	Ongoing compliance management	vcto-vciso-engagement-sop.md

---

Evidence Base

Why This Approach Works

Principle	Evidence	Source
Scope reduction critical	60% reduction in controls with proper scoping	PCI SSC Scoping Guidance
Gap assessment reduces risk	Organizations with pre-assessments 2x more likely to pass	Industry analysis
Technical validation essential	70% of failures due to technical gaps	QSA audit data
Continuous compliance more effective	Annual-only approach leads to gaps	Verizon Payment Security Report

SBK Success Metrics

Metric	Target	Measurement
First-time compliance pass	95%+	Assessment outcomes
Scope reduction achieved	30% average	Pre/post comparison
Client satisfaction	4.5+/5.0	Post-engagement survey
Remediation engagement rate	60%+	Sales tracking

---

Regulatory References

• PCI DSS v4.0 - Current Standard
• PCI SSC Document Library
• PCI DSS Scoping Guidance
• PCI SSC Prioritized Approach

---

Last Updated: February 2026 Version: 1.0