Skip to contentSkip to content

Free Assessment Tool

PCI DSS Readiness Scorer

Answer 12 questions covering every PCI DSS requirement area and receive a traffic-light readiness score with prioritised recommendations for closing gaps.

1

Do you have a current network diagram showing all connections to/from the CDE?

Req 1
2

Are all system components hardened with vendor-supplied security patches applied within 30 days?

Req 2, 6
3

Is stored cardholder data encrypted or tokenised with documented key management?

Req 3
4

Is all cardholder data transmitted over encrypted channels (TLS 1.2+)?

Req 4
5

Do all systems have current anti-malware software with automated updates?

Req 5
6

Do you have a documented secure development lifecycle for payment applications?

Req 6
7

Is access to cardholder data restricted to personnel with a documented business need?

Req 7
8

Is multi-factor authentication enforced for all access to the CDE?

Req 8
9

Are physical access controls in place for all areas containing cardholder data?

Req 9
10

Do you have centralised logging with automated review for security events?

Req 10
11

Are quarterly ASV scans and annual penetration tests conducted and passing?

Req 11
12

Do you have a documented information security policy reviewed within the last 12 months?

Req 12

Answer all 12 questions to calculate your readiness score.

Close Your Compliance Gaps

GRCTrack identifies every gap, generates remediation plans, and tracks your progress to PCI DSS certification.

Start Free TrialBook a Demo

Frequently Asked Questions

What does this readiness score measure?

The readiness scorer evaluates 12 key PCI DSS control areas spanning all 12 requirements, including network security, data encryption, access controls, monitoring, and policy management. It provides a high-level readiness assessment to help you understand where your organisation stands before a formal assessment.

Is this score equivalent to a PCI DSS assessment?

No. This is a directional indicator to help you identify major gaps. It is not a substitute for a formal Self-Assessment Questionnaire (SAQ) or a Qualified Security Assessor (QSA) assessment. Use it as a starting point to prioritise your compliance efforts.

What should I do if I score red?

Prioritise the gaps identified in the recommendations section. Start with foundational controls like network diagrams, access controls, and encryption. Consider engaging a QSA for a formal gap analysis and remediation roadmap before scheduling your assessment.

How often should I reassess my readiness?

Reassess quarterly or after any significant infrastructure change such as a cloud migration, new payment channel, network redesign, or major application deployment. Regular reassessment helps catch compliance drift early.