PCI assessments: How to prepare — and where companies fall short

A PCI assessment is more than a checklist exercise. It is a formal evaluation of whether your organization meets the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and can demonstrate that those controls are working effectively.

For many organizations, the challenge is not understanding what PCI requires. It is proving that those requirements are consistently met across a changing environment.

Under PCI DSS v4.0, expectations around continuous validation and documentation have increased — but the fundamentals of a successful PCI assessment have not changed.

What a PCI assessment actually evaluates

A PCI assessment focuses on whether your organization can protect cardholder data and maintain a secure environment.

This includes:

• How cardholder data is stored, processed and transmitted
• How systems are secured and monitored
• Whether access controls are properly enforced
• How vulnerabilities are identified and remediated
• Whether policies and procedures are documented and followed

The outcome is not just a pass or fail. It is a determination of whether your controls are effective and supported by evidence.

Why organizations fail PCI assessments

Most organizations do not fail because they misunderstand PCI DSS. They fail because their environment does not match what is documented or tested.

Common issues include:

• Incomplete or outdated network and data flow diagrams
• Unclear or inaccurate scope definitions
• Missing or inconsistent documentation
• Gaps between policy and actual practice
• Lack of evidence to support control effectiveness

These issues often arise as systems evolve, vendors change or processes are updated without a full reassessment.

Scope is where most problems start

One of the most critical — and most misunderstood — aspects of PCI assessments is scope.

Scope defines which systems, processes and data flows are subject to PCI requirements. If scope is incorrect, everything that follows is at risk.

Common scoping challenges include:

• Overlooking systems that interact with cardholder data
• Failing to account for third-party service providers
• Not updating scope after infrastructure changes
• Assuming segmentation is effective without validation

A clear and accurate scope is the foundation of a successful PCI assessment.

Documentation and evidence drive the outcome

PCI assessments are evidence-based. It is not enough to say controls are in place — you must prove they are working.

This includes:

• Policies and procedures that reflect actual practices
• System configurations and control settings
• Logs, reports and monitoring outputs
• Test results such as vulnerability scans and penetration tests

Documentation is often where organizations struggle most. Controls may exist, but without supporting evidence, they cannot be validated.

Testing is not optional — and not one-time

Testing is a core component of PCI assessments and organizations are expected to regularly validate that controls are functioning as intended. This includes:

• Internal and external vulnerability scans
• Penetration testing
• Segmentation testing where applicable
• Ongoing monitoring and review

Testing must align with the current environment — not a previous state that no longer reflects reality.

Where assessments break down in practice

Most breakdowns happen at the intersection of people, process and technology.

Examples include:

• Changes implemented without updating documentation
• Different teams managing controls without coordination
• Vendors operating outside defined compliance processes
• Delays between identifying issues and remediating them

These gaps are not always visible until the assessment begins, which is often too late.

What a defensible PCI readiness approach looks like

Organizations that succeed in PCI assessments treat readiness as an ongoing process, not a point-in-time effort.

This includes:

• Maintaining an accurate and current PCI scope
• Aligning documentation with actual system configurations
• Performing regular testing and validation
• Tracking changes that may impact compliance
• Coordinating across internal teams and third-party providers

The goal is not just to pass the assessment — it is to maintain a state of continuous readiness.

How PCI DSS evolves — and what v4.0 signals for the future

The Payment Card Industry Data Security Standard (PCI DSS) is periodically updated to address changes in technology, threat activity and payment ecosystems. Major revisions are released infrequently, with interim updates and guidance issued as needed by the PCI Security Standards Council.

PCI DSS v4.0 represents the most recent major revision. It was introduced to modernize the framework and shift expectations toward more continuous validation of security controls rather than point-in-time compliance.

Key themes introduced in v4.0 include:

• Greater emphasis on continuous compliance and ongoing validation
• Stronger expectations around documentation and evidence
• Increased flexibility through customized approaches — paired with clearer accountability for how controls are implemented and validated

These changes reflect a broader direction for PCI DSS. Rather than prescribing only static requirements, the standard is evolving to support more dynamic environments while maintaining consistent security outcomes.

Looking ahead, organizations should expect continued updates that reinforce this direction — with a focus on adaptability, stronger validation and clearer demonstration of control effectiveness.

How Wipfli can help

Wipfli helps organizations prepare for and navigate PCI assessments with a focus on clarity, structure and execution.

Our services include:

• PCI readiness and gap assessments
• Scope definition and validation
• Testing coordination and oversight
• Documentation and evidence alignment
• Ongoing compliance support

To strengthen your approach to PCI assessments, explore our regulatory risk and compliance services.