PCI DSS assessment
and compliance tracking
Run PCI DSS assessments, gap analysis, and risk assessments across all 12 requirements. Map vulnerability findings to specific controls, track remediation with SLAs, and generate compliance reports for QSAs, all from one platform.
No credit card required. Free plan available forever.
PCI DSS Assessment: Compliance, Gap Analysis, and Risk Assessment
A PCI DSS assessment evaluates whether your organisation meets the Payment Card Industry Data Security Standard requirements for protecting cardholder data. PCI DSS v4.0, maintained by the PCI Security Standards Council (founded by Visa, Mastercard, American Express, Discover, and JCB), defines 12 core requirements organised into six goals. Every entity that accepts, processes, stores, or transmits credit card information must undergo a PCI DSS compliance assessment, with the validation method (Self-Assessment Questionnaire or full on-site assessment by a QSA) depending on transaction volume.
The PCI DSS assessment process typically starts with a gap analysis to identify where your current controls fall short of the 12 requirements. A PCI DSS risk assessment then prioritises the gaps by business impact, and a remediation plan addresses each finding with clear owners and timelines. Throughout this process, PCI DSS vulnerability management ensures that systems in the cardholder data environment are regularly scanned, patched, and tested. For organisations running their first assessment, our PCI DSS assessment guide walks through every step.
SecPortal provides the structured tracking and evidence management that the PCI DSS assessment process demands. From initial scope definition and gap analysis through vulnerability testing, remediation tracking, and QSA-ready report generation, every step of your PCI DSS compliance assessment is managed in one platform. For teams that also need to manage SOC 2 or ISO 27001 alongside PCI DSS, SecPortal's multi-framework compliance tracking maps shared controls automatically.
PCI DSS Requirement Tracking and Gap Analysis
Build and Maintain a Secure Network (Req. 1-2)
Requirement 1 covers installing and maintaining network security controls (firewalls, routers, and network segmentation). Requirement 2 addresses applying secure configurations to all system components, eliminating vendor defaults for passwords and security parameters.
Protect Account Data (Req. 3-4)
Requirement 3 focuses on protecting stored account data through encryption, truncation, masking, and hashing. Requirement 4 mandates strong cryptography for cardholder data transmitted across open, public networks, including TLS requirements and key management.
Maintain a Vulnerability Management Programme (Req. 5-6)
Requirement 5 requires protection against malicious software on all systems. Requirement 6 addresses developing and maintaining secure systems and software, including secure coding practices, change management, and vulnerability patching timelines.
Implement Strong Access Control (Req. 7-9)
Requirement 7 restricts access to cardholder data on a need-to-know basis. Requirement 8 mandates identification and authentication for system access, including MFA requirements. Requirement 9 covers physical access restrictions to cardholder data environments.
Regularly Monitor and Test Networks (Req. 10-11)
Requirement 10 requires logging and monitoring of all access to network resources and cardholder data. Requirement 11 mandates regular testing of security systems and processes, including vulnerability scanning, penetration testing, and intrusion detection.
Maintain an Information Security Policy (Req. 12)
Requirement 12 addresses the organisational information security policy, covering risk assessment processes, acceptable use, security awareness training, incident response planning, and service provider management. This requirement underpins all technical controls.
PCI DSS Vulnerability Management and Assessment Tracking
SecPortal provides pre-built templates covering all PCI DSS v4.0 requirements and sub-requirements, allowing your team to track compliance status at a granular level. Each finding from penetration testing or vulnerability assessment can be mapped directly to the affected PCI DSS requirements, creating clear traceability between identified issues and the controls they impact. SecPortal's built-in scanning (33 modules across external, authenticated, and code analysis) generates PCI DSS vulnerability assessment evidence automatically, while the compliance dashboard gives assessors and stakeholders a real-time view of where the organisation stands across all 12 requirements.
- Pre-built templates for all 12 PCI DSS v4.0 requirements with sub-requirement breakdown
- Finding-to-requirement mapping linking each discovered vulnerability to specific PCI DSS controls
- Scope definition tools to document the cardholder data environment (CDE) and connected systems
- Compensating control documentation for requirements that cannot be met through standard means
- Compliance dashboard showing status across all 12 requirements with drill-down into sub-requirements
- Quarterly milestone tracking aligned with PCI DSS validation cycles
- Evidence attachment for each requirement supporting SAQ completion and on-site assessment
QSA Preparation and PCI DSS Risk Assessment Documentation
Whether your client is completing a Self-Assessment Questionnaire or undergoing a full on-site assessment by a Qualified Security Assessor, SecPortal generates the structured documentation and evidence packages that assessors need. The platform organises evidence by requirement, maintains an audit trail of all compliance activities, and produces reports in formats that align with PCI SSC expectations.
- QSA-ready report generation with requirement-by-requirement compliance status and evidence references
- Self-Assessment Questionnaire (SAQ) alignment for merchants validating through self-assessment
- Report on Compliance (ROC) supporting documentation with structured evidence packages
- Network diagram and data flow documentation linked to Requirements 1 and 4
- Vulnerability scan result integration supporting Requirement 11 compliance evidence
- Remediation tracking with timelines demonstrating progress on identified gaps
- Historical compliance data showing assessment results across multiple validation cycles
PCI DSS compliance is a continuous obligation, not a point-in-time assessment. A strong PCI DSS vulnerability management policy requires ongoing scanning, patching, and remediation tracking between assessment cycles. SecPortal supports this by retaining assessment data across validation cycles, tracking remediation of identified gaps with SLA monitoring, and providing trend reporting that demonstrates security posture improvements over time. For security consultancies providing PCI DSS assessment services to multiple merchants or service providers, SecPortal's structured approach ensures consistency and thoroughness across every engagement. Learn more about automating security compliance across PCI DSS and other frameworks.
Key control areas
SecPortal helps you track and manage compliance across these domains.
Req 1-2: Network Security
Track firewall configurations, network segmentation, and secure network architecture controls.
Req 3-4: Data Protection
Assess cardholder data protection, encryption, and secure transmission controls.
Req 5-6: Vulnerability Management
Track anti-malware deployment, secure development practices, and patch management.
Req 7-9: Access Controls
Manage access restriction, authentication, and physical access controls.
Req 10-11: Monitoring & Testing
Track logging, monitoring, vulnerability scanning, and penetration testing requirements.
Req 12: Security Policy
Document information security policies, risk assessments, and security awareness training.
Run your PCI DSS assessment from one platform
Gap analysis, vulnerability management, remediation tracking, and QSA-ready reports. Start your free trial.
No credit card required. Free plan available forever.