PCI Maturity Levels

Ben Pournader
3 min readAug 6, 2018


I was recently asked as a Subject Matter Expert (SME) for determining a maturity level on PCI DSS program for a business. My answer to that question was that I have some benchmarks based on my previous experience and these are the factors that I usually consider to determine the status and level of the maturity for its PCI compliance program:

1. Low

Organization identifies and knows the problems

a. Processing, transmission and storage of card holder data are identified and documented. Internal and External (e.g. with 3rd parties like service providers) dataflow both plays very important role and is needed for PCI.

b. The scope of PCI (people, process and systems) is known to the business based on the latest PCI guideline: Guidance for PCI DSS Scoping and Network Segmentation (version 1.1, May 2017)

c. The existing security controls/safeguards, not necessarily related to PCI DSS, are known

d. The gap in controls (controls includes physical controls, technical controls like encryption, Credit Card masking/truncation/tokenization, and administrative controls like security policy, 3rd party risk assessment and security training)

This level involves 7 activities to provide input for scoping and gap assessment

  • Discover card holder data processing, transmission and storage
  • Discover third party card holder data sharing
  • Discover all systems in CDE (Card holder Data Environment)
  • Discover all 3 components of PCI scope (mentioned above in item b) including third parties, impacting card holder data security
  • Define the full inventory of the PCI scope based on the discovery and the perimeters
  • Perform a gap assessment to identify required PCI DSS controls not in place
  • Documentation in order to to provide inputs to later phases, and to support the PCI yearly assessment

2. Moderate

Organization takes appropriate measures to develop a PCI DSS compliance program

a. Have a remediation plan based on the PCI scope and the gap assessment

b. Have documentation around security controls/safeguards, not necessarily related to PCI DSS, that are already in place for PCI scope (people, process and systems)

c. Have a plan for potential scope reduction to reduce the time and cost of compliance program and to perform process improvement

d. Have policies, standards, and processes required by PCI DSS. These documentations will act as foundation for implementing physical, technical and administrative controls

e. Have defined some technical and nontechnical controls and map them to PCI requirements

f. Having change management process in place in order to monitor, manage and get approval for all changes in PCI scope

3. Strong

The organization is ready for an external assessment/audit or recently passed an annual assessment by a PCI qualified security assessor

a. Have a process to detect any change in the organization to understand the affect of that change to PCI scope or change in control

b. Maintain policies, standards, and processes and keep updating them

c. All 140+ PCI controls (administrative, technical and physical) are in place (or have compensating control for each missed item)

d. Have a validation of implementation of all required PCI controls

e. Have a procedure in place to monitor the PCI compliance status in order to ensure it is in its track

f. Have a process to identify changes for the risk of non-compliance or PCI scope increase and have a plan to address and fix those issues



Ben Pournader

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CGEIT, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB