PCI DSS Assessment Process
A complete guide to the PCI DSS assessment process — from initial scoping through formal assessment and ongoing compliance maintenance.
Follow a structured, 6-step approach with timeline guidance and stakeholder roles to achieve PCI DSS compliance efficiently.
Assessment Overview
The PCI DSS assessment process is a structured methodology for evaluating an organisation's compliance with the Payment Card Industry Data Security Standard. Whether you are pursuing a Report on Compliance (ROC) with a QSA or completing a Self-Assessment Questionnaire (SAQ), the underlying process follows the same logical phases.
A typical end-to-end assessment takes 4 to 8 months, though this varies significantly based on the maturity of existing security controls, the complexity of the cardholder data environment, and the number of gaps identified during the gap analysis phase. Organisations that invest in thorough scoping and pre-assessment preparation consistently achieve faster, less disruptive assessments.
The six-step process described below provides a proven framework that applies to merchants and service providers of all sizes. Each step builds on the previous one, and skipping or rushing any phase typically results in delays, scope issues, or assessment findings that require rework.
Step-by-Step Assessment Process
Scope Definition
2-4 weeksIdentify the cardholder data environment (CDE), map all data flows from point of capture through storage and disposal, and document network diagrams showing CDE boundaries. Define which systems, networks, personnel, and third-party connections are in scope for the assessment.
Gap Analysis
2-4 weeksCompare current security controls against all applicable PCI DSS requirements. Document each gap with severity, remediation effort, and business impact. Prioritise findings based on risk level and remediation complexity to build an actionable roadmap.
Remediation Planning
1-2 weeksCreate a detailed remediation roadmap with specific tasks, assigned owners, resource requirements, and target completion dates. Identify compensating controls where standard requirements cannot be met directly. Secure budget and management approval for the plan.
Control Implementation
4-16 weeksDeploy technical fixes, update security policies and procedures, implement new technologies, and configure monitoring tools. This is typically the longest phase and includes activities like network segmentation, encryption deployment, access control hardening, and log management implementation.
Formal Assessment
2-6 weeksFor ROC assessments, the QSA conducts the on-site evaluation including documentation review, technical testing, personnel interviews, and physical inspections. For SAQ assessments, the organisation completes the self-assessment questionnaire. Evidence is collected and validated against each requirement.
Reporting & Maintenance
1-2 weeksSubmit the completed ROC or SAQ along with the signed Attestation of Compliance (AOC) to the acquiring bank. Establish ongoing monitoring processes, schedule quarterly ASV scans, and plan for the next annual reassessment cycle.
Timeline Guidance
Understanding the typical duration of each phase helps set realistic expectations with stakeholders and ensures adequate resource allocation throughout the assessment.
Key Participants
Merchant Team
CISO or Security Lead
Executive sponsor, owns the compliance programme and represents the organisation to the QSA
IT Team
Provides technical evidence, implements remediation, and demonstrates control effectiveness
Compliance Officer
Manages assessment logistics, tracks evidence collection, and coordinates stakeholder communication
Business Owners
Validate data flows, confirm scope boundaries, and ensure business processes align with security controls
QSA Team
Lead Assessor
Directs the assessment, makes compliance determinations, and authors the ROC report
Technical Assessors
Conduct system configuration reviews, network testing, and technical evidence validation
Acquirer Bank
Compliance Team
Sets compliance deadlines, receives the AOC, and manages merchant compliance tracking
Relationship Manager
Primary point of contact, escalates compliance issues, and coordinates remediation timelines
Common Assessment Pitfalls
Scope Creep Mid-Assessment
Discovering additional in-scope systems during the formal assessment phase. This forces re-evaluation of previously tested controls and extends timelines. Thorough scoping upfront prevents this.
Last-Minute Remediation
Deferring remediation until the QSA is on-site. This leads to rushed fixes, incomplete documentation, and potential assessment delays while the QSA waits for evidence of new controls.
Evidence Gaps
Unable to produce required evidence for the full assessment period. Daily log reviews, quarterly scans, and annual activities must have documented evidence covering the entire period under review.
Underestimating Staff Time
Failing to account for the significant time IT and security staff must dedicate to the assessment. QSA interviews, evidence gathering, and technical demonstrations require substantial personnel availability.
Ignoring Compensating Controls
Attempting to force-fit standard requirement implementations when a well-documented compensating control would be more appropriate. QSAs can accept compensating controls with proper risk analysis and documentation.
Not Planning for Re-Assessment
Treating PCI DSS as a one-time project rather than an ongoing programme. Annual re-assessment requires continuous maintenance of controls, evidence, and documentation throughout the year.
How GRCTrack Supports Your Assessment
Automated Scoping Tools
Interactive scoping workflows guide you through CDE identification, data flow mapping, and boundary definition. Ensure nothing is missed before the formal assessment begins.
Gap Analysis Dashboards
Visualise your compliance posture across all 322 requirements. Identify gaps by severity, effort level, and requirement family to prioritise remediation effectively.
Remediation Workflow Tracking
Assign remediation tasks, set deadlines, and track progress with built-in project management tools. Automated notifications keep teams accountable and on schedule.
Evidence Management
Centralised evidence repository with version control, expiration tracking, and requirement mapping. Upload once, reference across multiple assessment periods.
Real-Time Progress Reporting
Live dashboards showing assessment readiness by phase, requirement family, and control status. Share progress with executives and stakeholders at any time.
QSA Collaboration
Provide your QSA with secure, role-based access to the platform. Share evidence, track findings, and manage assessment communications in a single workspace.
Frequently Asked Questions
How long does the entire PCI DSS assessment process take?
The end-to-end PCI DSS assessment process typically takes 4 to 8 months from initial scoping through final report submission. The timeline depends on the complexity of the cardholder data environment, the number of gaps identified during the gap analysis phase, and the organisation's ability to implement remediation. Organisations with mature security programmes and prior PCI DSS experience can often complete the process in 4 to 5 months, while first-time assessments may take 6 to 8 months or longer.
Can we start the formal assessment before all remediation is complete?
Yes, but this approach carries risks. QSAs can begin the formal assessment while remediation is ongoing, but any requirement found not in place at the time of testing will be noted. The ROC cannot be finalised until all requirements are either in place or have approved compensating controls. Starting early can help identify additional issues, but extending the assessment window increases costs and complexity.
What is the difference between scoping and gap analysis?
Scoping identifies which systems, networks, processes, and people are in scope for PCI DSS — essentially defining the boundary of the cardholder data environment. Gap analysis compares your current security controls against PCI DSS requirements to identify where gaps exist. Scoping answers "what must be assessed" while gap analysis answers "what needs to be fixed." Both are essential pre-assessment activities.
Do we need to assess all 322 requirements for every assessment?
For a ROC, yes — the QSA must evaluate all applicable requirements. However, not all requirements apply to every environment. Requirements are marked as "not applicable" where the corresponding technology or process is not used. For SAQs, only the subset of requirements relevant to your specific SAQ type must be assessed. The scoping phase determines which requirements apply to your environment.
What happens after the assessment is complete?
After the formal assessment, the QSA finalises the ROC and signs the Attestation of Compliance (AOC), or the organisation completes the SAQ and AOC. These documents are submitted to the acquiring bank and, in some cases, directly to card brands. The organisation must then maintain compliance continuously, with quarterly ASV scans, annual reassessment, and ongoing monitoring of all controls.
Related PCI DSS Resources
Start Your PCI DSS Assessment
From scoping to certification, GRCTrack guides you through every step of the PCI DSS assessment process with automated workflows and real-time tracking.