Blogs

The PCI DSS Assessment Process: What to Expect

author
Jason Likert
Published
July 7, 2025

​​Understanding PCI DSS Assessment Fundamentals

​Compliance with the Payment Card Industry Data Security Standard (PCI DSS) version 4.0.1 can appear daunting at first glance. Addressing 12 requirements containing hundreds of control objectives is challenging for many organizations. First-time PCI compliance assessments are particularly demanding for organizations without established internal or external audit programs that verify controls are implemented in a compliant manner.

​As organizations navigate the transition from PCI DSS v3.2.1 (which retired in March 2025) to the current v4.0.1 standard, understanding the fundamental assessment methodology remains critical for success.

​Assessment Scope and Applicability

​PCI DSS requires that organizations comply with the applicable controls relevant to their specific environment. The different payment channels and security measures used by an organization may align with a specific Self-Assessment Questionnaire (SAQ) or be determined by the acquiring bank, processor, or card brands. These control objectives determine what internal processes an organization must implement to achieve and maintain PCI compliance.

​PCI DSS 4.0+ introduced a new "customized approach" option alongside the traditional "defined approach." While the defined approach prescribes specific requirements, the customized approach allows organizations to implement alternative controls that meet the security objectives, providing greater flexibility for mature security programs.

​The Three-Pillar Assessment Methodology

​Regardless of whether your organization works with an internal audit team, Internal Security Assessor (ISA), or third-party Qualified Security Assessor (QSA), the PCI DSS assessment follows a structured approach based on three primary activities for most controls. This rigor often surprises clients unfamiliar with PCI validation requirements. The comprehensive nature and volume of evidence required can be challenging for organizations to document and provide to assessors.

​The three primary pillars of PCI assessment are:

  1. ​Documentation Review
  2. ​Interview Response
  3. ​Configuration Review

​Most PCI controls require that the assessed entity perform all three activities listed above. Some controls may only require one or two of these testing procedures, but most demand all three to verify if a control is properly implemented. These three activities should produce consistent, corroborating evidence.

​For example, PCI DSS Requirement 1.2.2 (which addresses changes to network connections and configurations of Network Security Controls (NSCs) in v4.0.1) outlines these requirements in the testing procedures. The assessor must:

  • Examine documented policies and procedures
  • Interview appropriate personnel
  • ​Sample systems and examine configurations
  • ​Review a sample of change control records

​The Assessment Process in Practice

​Documentation Foundation

​Policies, procedures, and supporting documentation form the foundation of all governance, risk, and compliance programs. In PCI DSS 4.0.1, documentation requirements have expanded to include more detailed evidence of implementation and effectiveness.

Personnel Interviews

​Interviews with employees should validate the policies and procedures. While staff may not recite policies verbatim, they should demonstrate knowledge of applicable procedures and know where to find guidance. Observing employees performing compliance-related tasks should reflect the documented processes.

System Configuration Verification

​Examining system component configurations confirms whether the organization is compliant with both PCI DSS requirements and their internal policies. System configurations should align with interview responses and documented procedures.

​When these three elements don't align for a particular control, the organization must determine the root cause of the discrepancy. While remediation might be straightforward, root cause analysis may reveal deeper flaws in the security program. For instance, if policies are properly documented but interviews and configurations don't align, the organization may have a training deficiency.

​Competency Requirements

​PCI DSS 4.0.1 places increased emphasis on staff competency. For certain controls, an organization may be non-compliant if interviewees cannot demonstrate required knowledge.

​For example, Requirement 2.2.6.b in v4.0.1 requires that system administrators demonstrate knowledge of common security parameters. This is a distinct control beyond examining configuration standards and system components—if personnel cannot demonstrate required knowledge, the entity would fail this testing procedure.

​Observation as a Fourth Element

​While the three-pillar approach forms the backbone of PCI assessment, a fourth element—observation of processes or activities—is frequently required. Observations supplement either configuration reviews or interview responses to verify that controls are operating effectively.

​Preparing for Success

​Organizations of all sizes must be prepared to demonstrate these activities for their PCI DSS 4.0.1 compliance assessments.  All previous future-dated requirements are now fully in-effect and require additional consideration by assessed entities. Preparation and properly planning and control design processes must be addressed and followed to ensure a compliant implementation.

  1. ​Ensure policies and procedures are updated to reflect v4.0.1 requirements
  2. ​Train staff on new and updated controls
  3. ​Implement technical controls according to the new standard
  4. ​Consider whether the defined or customized approach is most appropriate for your environment
  5. ​Prepare for more rigorous testing of control effectiveness

​It's essential that staff be properly informed by their internal audit team or external QSA about the testing activities and how they will be performed. Employee preparation for this level of scrutiny will improve both the efficiency and accuracy of the compliance assessment process.

​As PCI DSS continues to evolve to address emerging threats, the fundamental three-pillar assessment methodology remains a consistent and effective approach to validating security controls across your cardholder data environment.

Click here to contact us for all your SMB Compliance, Merchant Risk Management, and Compliance Technology needs.

author
Jason Likert

Director of Security

SecureTrust

More Blogs

Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.
View All Blogs
September 3, 2025
What is an SAQ (Self-Assessment Questionnaire)?
September 4, 2025
What Does PCI Stand For? A Beginner’s Guide to Payment Security
February 19, 2020
Clarifying Quarterly External Scans