[{"data":1,"prerenderedAt":2664},["ShallowReactive",2],{"\u002Fglossary\u002Fsaq":3,"\u002Fglossary\u002Fsaq__related-terms":226,"explore-glossary-pci-\u002Fglossary\u002Fsaq":237,"explore-topics-pci-\u002Fglossary\u002Fsaq":1039,"explore-hub-pci":1716,"explore-compare-vs-\u002Fglossary\u002Fsaq":2221,"explore-compare-\u002Fglossary\u002Fsaq":2388,"explore-blog-pci-\u002Fglossary\u002Fsaq":2509,"explore-industry-pci":2364},{"id":4,"title":5,"body":6,"description":195,"extension":207,"lastUpdated":208,"meta":209,"navigation":210,"path":211,"relatedFrameworks":212,"relatedTerms":214,"seo":220,"slug":223,"stem":224,"term":13,"__hash__":225},"glossary\u002F8.glossary\u002Fsaq.md","Saq",{"type":7,"value":8,"toc":194},"minimark",[9,14,18,23,26,79,83,86,100,103,107,110,136,140,143,160,164,167,181,185],[10,11,13],"h2",{"id":12},"what-is-a-self-assessment-questionnaire-saq","What is a Self-Assessment Questionnaire (SAQ)?",[15,16,17],"p",{},"A Self-Assessment Questionnaire (SAQ) is a PCI DSS validation tool designed for merchants and service providers who are eligible to self-assess their compliance with the Payment Card Industry Data Security Standard. Instead of undergoing a full on-site audit by a Qualified Security Assessor (QSA), eligible organizations complete an SAQ to document their compliance status.",[19,20,22],"h3",{"id":21},"what-are-the-saq-types","What are the SAQ types?",[15,24,25],{},"The PCI Security Standards Council provides multiple SAQ types, each designed for a specific merchant or service provider environment:",[27,28,29,37,43,49,55,61,67,73],"ul",{},[30,31,32,36],"li",{},[33,34,35],"strong",{},"SAQ A"," — for merchants that have fully outsourced all cardholder data functions to PCI-compliant third parties (e-commerce with redirect or iframe)",[30,38,39,42],{},[33,40,41],{},"SAQ A-EP"," — for e-commerce merchants that partially outsource payment processing but whose website may impact transaction security",[30,44,45,48],{},[33,46,47],{},"SAQ B"," — for merchants using only imprint machines or standalone dial-out payment terminals",[30,50,51,54],{},[33,52,53],{},"SAQ B-IP"," — for merchants using standalone PTS-approved payment terminals connected via IP",[30,56,57,60],{},[33,58,59],{},"SAQ C"," — for merchants with payment application systems connected to the internet",[30,62,63,66],{},[33,64,65],{},"SAQ C-VT"," — for merchants manually entering single transactions via a virtual terminal on an isolated computer",[30,68,69,72],{},[33,70,71],{},"SAQ D"," — the most comprehensive questionnaire, for merchants and service providers that do not qualify for any other SAQ type",[30,74,75,78],{},[33,76,77],{},"SAQ P2PE"," — for merchants using validated point-to-point encryption solutions",[19,80,82],{"id":81},"how-do-you-determine-which-saq-applies","How do you determine which SAQ applies?",[15,84,85],{},"The correct SAQ depends on how your organization processes, stores, and transmits cardholder data. Key factors include:",[27,87,88,91,94,97],{},[30,89,90],{},"Whether you store cardholder data or only transmit it",[30,92,93],{},"Whether payment processing is fully outsourced",[30,95,96],{},"What types of payment channels you use (e-commerce, point-of-sale, mail\u002Ftelephone)",[30,98,99],{},"Whether you use validated P2PE solutions",[15,101,102],{},"Selecting the wrong SAQ type can lead to either unnecessary work (choosing a more restrictive SAQ) or inadequate coverage (choosing one that does not address your actual risk).",[19,104,106],{"id":105},"what-does-the-saq-contain","What does the SAQ contain?",[15,108,109],{},"Each SAQ includes:",[27,111,112,118,124,130],{},[30,113,114,117],{},[33,115,116],{},"Questions aligned to PCI DSS requirements"," — the number of questions varies by SAQ type, from approximately 22 (SAQ A) to over 300 (SAQ D)",[30,119,120,123],{},[33,121,122],{},"Response options"," — yes, no, N\u002FA, or compensating control for each requirement",[30,125,126,129],{},[33,127,128],{},"Compensating control documentation"," — if a requirement cannot be met directly, a compensating control worksheet documents the alternative approach",[30,131,132,135],{},[33,133,134],{},"Attestation of Compliance (AOC)"," — a formal statement signed by the organization's executive management attesting to the accuracy of the SAQ",[19,137,139],{"id":138},"who-requires-saqs","Who requires SAQs?",[15,141,142],{},"Acquiring banks and payment brands determine whether a merchant or service provider must submit an SAQ based on transaction volume:",[27,144,145,151,157],{},[30,146,147,150],{},[33,148,149],{},"Level 1 merchants"," (highest transaction volumes) typically require an on-site assessment by a QSA rather than an SAQ",[30,152,153,156],{},[33,154,155],{},"Level 2-4 merchants"," are generally eligible for self-assessment via SAQ",[30,158,159],{},"Requirements may vary by payment brand (Visa, Mastercard, etc.)",[19,161,163],{"id":162},"what-are-common-challenges-with-an-saq","What are common challenges with an SAQ?",[15,165,166],{},"Organizations often encounter challenges with SAQs:",[27,168,169,172,175,178],{},[30,170,171],{},"Difficulty determining the correct SAQ type",[30,173,174],{},"Incomplete understanding of the cardholder data environment",[30,176,177],{},"Gaps between the organization's actual practices and SAQ requirements",[30,179,180],{},"Lack of documentation to support \"yes\" answers",[19,182,184],{"id":183},"how-does-episki-help-with-an-saq","How does episki help with an SAQ?",[15,186,187,188,193],{},"episki guides you through SAQ selection based on your payment processing environment and helps you document controls and evidence for each applicable requirement. The platform tracks completion status and flags gaps before submission. Learn more on our ",[189,190,192],"a",{"href":191},"\u002Fframeworks\u002Fpci","PCI DSS compliance page",".",{"title":195,"searchDepth":196,"depth":196,"links":197},"",2,[198],{"id":12,"depth":196,"text":13,"children":199},[200,202,203,204,205,206],{"id":21,"depth":201,"text":22},3,{"id":81,"depth":201,"text":82},{"id":105,"depth":201,"text":106},{"id":138,"depth":201,"text":139},{"id":162,"depth":201,"text":163},{"id":183,"depth":201,"text":184},"md","2026-04-16",{},true,"\u002Fglossary\u002Fsaq",[213],"pci",[215,216,217,218,219],"pci-dss","qsa","cardholder-data-environment","pci-scope","pan",{"title":221,"description":222},"What is a Self-Assessment Questionnaire (SAQ)? Definition & Compliance Guide","A PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers to self-evaluate their cardholder data security.","saq","8.glossary\u002Fsaq","y_WJFBksFDBE_V8Nh6vFjLR3Rd6B5-7EGQdgVtSFqCs",[227,229,231,233,235],{"slug":217,"term":228},"What is a Cardholder Data Environment?",{"slug":219,"term":230},"What is a Primary Account Number (PAN)?",{"slug":215,"term":232},"What is PCI DSS?",{"slug":218,"term":234},"What is PCI Scope?",{"slug":216,"term":236},"What is a Qualified Security Assessor (QSA)?",[238,813],{"id":239,"title":240,"body":241,"description":195,"extension":207,"lastUpdated":208,"meta":795,"navigation":210,"path":796,"relatedFrameworks":797,"relatedTerms":803,"seo":807,"slug":810,"stem":811,"term":246,"__hash__":812},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":7,"value":242,"toc":781},[243,247,250,254,257,283,287,293,299,305,311,315,318,324,341,347,361,367,378,382,385,441,445,448,462,466,469,492,496,499,549,553,556,676,679,682,711,715,721,724,761,764,767,770,774],[10,244,246],{"id":245},"what-is-access-control","What is Access Control?",[15,248,249],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[19,251,253],{"id":252},"what-are-the-core-principles-of-access-control","What are the core principles of access control?",[15,255,256],{},"Access control is built on several foundational principles:",[27,258,259,265,271,277],{},[30,260,261,264],{},[33,262,263],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[30,266,267,270],{},[33,268,269],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[30,272,273,276],{},[33,274,275],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[30,278,279,282],{},[33,280,281],{},"Default deny"," — access is denied by default unless explicitly granted",[19,284,286],{"id":285},"what-are-the-types-of-access-control","What are the types of access control?",[15,288,289,292],{},[33,290,291],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[15,294,295,298],{},[33,296,297],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[15,300,301,304],{},[33,302,303],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[15,306,307,310],{},[33,308,309],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[19,312,314],{"id":313},"what-are-access-control-components","What are access control components?",[15,316,317],{},"A complete access control program addresses:",[15,319,320,323],{},[33,321,322],{},"Authentication"," — verifying the identity of users:",[27,325,326,329,332,335,338],{},[30,327,328],{},"Passwords and passphrases",[30,330,331],{},"Multi-factor authentication (MFA)",[30,333,334],{},"Single sign-on (SSO)",[30,336,337],{},"Biometric authentication",[30,339,340],{},"Certificate-based authentication",[15,342,343,346],{},[33,344,345],{},"Authorization"," — determining what authenticated users can do:",[27,348,349,352,355,358],{},[30,350,351],{},"Permission assignments",[30,353,354],{},"Role definitions",[30,356,357],{},"Access control lists",[30,359,360],{},"Policy enforcement points",[15,362,363,366],{},[33,364,365],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[27,368,369,372,375],{},[30,370,371],{},"Provisioning (granting access when hired or role changes)",[30,373,374],{},"Review (periodic access certification)",[30,376,377],{},"Deprovisioning (revoking access upon termination or role change)",[19,379,381],{"id":380},"how-do-compliance-frameworks-address-access-control","How do compliance frameworks address access control?",[15,383,384],{},"Every major framework requires access control:",[27,386,387,396,410,424,432],{},[30,388,389,395],{},[33,390,391],{},[189,392,394],{"href":393},"\u002Fframeworks\u002Fsoc2","SOC 2"," — CC6.1 through CC6.8 cover logical and physical access controls",[30,397,398,404,405,409],{},[33,399,400],{},[189,401,403],{"href":402},"\u002Fframeworks\u002Fiso27001","ISO 27001"," — ",[189,406,408],{"href":407},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[30,411,412,418,419,423],{},[33,413,414],{},[189,415,417],{"href":416},"\u002Fframeworks\u002Fhipaa","HIPAA"," — the ",[189,420,422],{"href":421},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[30,425,426,431],{},[33,427,428],{},[189,429,430],{"href":191},"PCI DSS"," — Requirements 7 and 8 address access restriction and user identification",[30,433,434,440],{},[33,435,436],{},[189,437,439],{"href":438},"\u002Fframeworks\u002Fnistcsf","NIST CSF"," — PR.AC covers identity management, authentication, and access control",[19,442,444],{"id":443},"what-are-access-reviews","What are access reviews?",[15,446,447],{},"Regular access reviews (also called access certifications) are a critical control:",[27,449,450,453,456,459],{},[30,451,452],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[30,454,455],{},"Verify that access aligns with current job responsibilities",[30,457,458],{},"Identify and remove excessive or unnecessary access",[30,460,461],{},"Document review results and remediation actions",[19,463,465],{"id":464},"what-are-common-access-control-weaknesses","What are common access control weaknesses?",[15,467,468],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[27,470,471,474,477,480,483,486,489],{},[30,472,473],{},"Excessive permissions that accumulate over time (privilege creep)",[30,475,476],{},"Shared or generic accounts that prevent individual accountability",[30,478,479],{},"Delayed deprovisioning when employees leave or change roles",[30,481,482],{},"Lack of MFA on critical systems and remote access paths",[30,484,485],{},"Inconsistent access review processes with no documented remediation",[30,487,488],{},"Service accounts with standing privileged access and no rotation schedule",[30,490,491],{},"Lack of visibility into SaaS application access outside the corporate IdP",[19,493,495],{"id":494},"how-do-you-implement-access-control-in-practice","How do you implement access control in practice?",[15,497,498],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[500,501,502,508,514,520,526,532,543],"ol",{},[30,503,504,507],{},[33,505,506],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[30,509,510,513],{},[33,511,512],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[30,515,516,519],{},[33,517,518],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[30,521,522,525],{},[33,523,524],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[30,527,528,531],{},[33,529,530],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[30,533,534,537,538,542],{},[33,535,536],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[189,539,541],{"href":540},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[30,544,545,548],{},[33,546,547],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[19,550,552],{"id":551},"what-are-the-access-control-requirements","What are the access control requirements?",[15,554,555],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[557,558,559,579],"table",{},[560,561,562],"thead",{},[563,564,565,569,571,573,575,577],"tr",{},[566,567,568],"th",{},"Requirement",[566,570,394],{},[566,572,403],{},[566,574,417],{},[566,576,430],{},[566,578,439],{},[580,581,582,603,622,642,659],"tbody",{},[563,583,584,588,591,594,597,600],{},[585,586,587],"td",{},"Unique user IDs",[585,589,590],{},"CC6.1",[585,592,593],{},"A.5.16",[585,595,596],{},"§164.312(a)(2)(i)",[585,598,599],{},"Req 8.2.1",[585,601,602],{},"PR.AC-1",[563,604,605,608,610,613,616,619],{},[585,606,607],{},"MFA",[585,609,590],{},[585,611,612],{},"A.8.5",[585,614,615],{},"Addressable",[585,617,618],{},"Req 8.4",[585,620,621],{},"PR.AC-7",[563,623,624,627,630,633,636,639],{},[585,625,626],{},"Access reviews",[585,628,629],{},"CC6.2",[585,631,632],{},"A.5.18",[585,634,635],{},"§164.312(a)(1)",[585,637,638],{},"Req 7.2",[585,640,641],{},"PR.AC-4",[563,643,644,646,649,652,654,657],{},[585,645,263],{},[585,647,648],{},"CC6.3",[585,650,651],{},"A.5.15",[585,653,635],{},[585,655,656],{},"Req 7.1",[585,658,641],{},[563,660,661,664,666,668,671,674],{},[585,662,663],{},"Deprovisioning",[585,665,629],{},[585,667,632],{},[585,669,670],{},"§164.312(a)(2)(ii)",[585,672,673],{},"Req 8.2.6",[585,675,602],{},[15,677,678],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[15,680,681],{},"A few notes on framework-specific nuances:",[27,683,684,689,697,704],{},[30,685,686,688],{},[33,687,417],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[30,690,691,696],{},[33,692,693,695],{},[189,694,430],{"href":191}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[30,698,699,703],{},[33,700,701],{},[189,702,394],{"href":393}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[30,705,706,710],{},[33,707,708],{},[189,709,439],{"href":438}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[19,712,714],{"id":713},"how-does-zero-trust-relate-to-access-control","How does zero trust relate to access control?",[15,716,717,718,193],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[33,719,720],{},"never trust, always verify",[15,722,723],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[27,725,726,732,738,749,755],{},[30,727,728,731],{},[33,729,730],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[30,733,734,737],{},[33,735,736],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[30,739,740,743,744,748],{},[33,741,742],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[189,745,747],{"href":746},"\u002Fglossary\u002Fencryption","encryption",") is evaluated before access is granted.",[30,750,751,754],{},[33,752,753],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[30,756,757,760],{},[33,758,759],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[15,762,763],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[15,765,766],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[15,768,769],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[19,771,773],{"id":772},"how-does-episki-help-with-access-control","How does episki help with access control?",[15,775,776,777,193],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[189,778,780],{"href":779},"\u002Fframeworks","compliance platform",{"title":195,"searchDepth":196,"depth":196,"links":782},[783],{"id":245,"depth":196,"text":246,"children":784},[785,786,787,788,789,790,791,792,793,794],{"id":252,"depth":201,"text":253},{"id":285,"depth":201,"text":286},{"id":313,"depth":201,"text":314},{"id":380,"depth":201,"text":381},{"id":443,"depth":201,"text":444},{"id":464,"depth":201,"text":465},{"id":494,"depth":201,"text":495},{"id":551,"depth":201,"text":552},{"id":713,"depth":201,"text":714},{"id":772,"depth":201,"text":773},{},"\u002Fglossary\u002Faccess-control",[798,799,800,801,213,802],"cmmc","soc2","iso27001","hipaa","nistcsf",[804,805,747,806],"minimum-necessary-rule","audit-trail","user-entity-controls",{"title":808,"description":809},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","06FHtOe5hEs65vhNnMjZcNgPP9NXCQTnLD9llz_jEjM",{"id":814,"title":815,"body":816,"description":195,"extension":207,"lastUpdated":208,"meta":1028,"navigation":210,"path":1029,"relatedFrameworks":1030,"relatedTerms":1031,"seo":1033,"slug":1036,"stem":1037,"term":821,"__hash__":1038},"glossary\u002F8.glossary\u002Fasv.md","Asv",{"type":7,"value":817,"toc":1017},[818,822,825,829,832,849,853,856,888,892,895,939,943,946,957,960,964,967,981,984,988,991,1008,1012],[10,819,821],{"id":820},"what-is-an-approved-scanning-vendor-asv","What is an Approved Scanning Vendor (ASV)?",[15,823,824],{},"An Approved Scanning Vendor (ASV) is a company certified by the PCI Security Standards Council to perform external vulnerability scans of internet-facing systems that are part of the cardholder data environment. ASV scans are a specific PCI DSS requirement (Requirement 11.3.2) and must be conducted quarterly by a PCI SSC-approved vendor.",[19,826,828],{"id":827},"what-is-the-purpose-of-asv-scans","What is the purpose of ASV scans?",[15,830,831],{},"ASV scans serve as an independent check on the security of externally facing systems that could be used to access cardholder data. The scans identify:",[27,833,834,837,840,843,846],{},[30,835,836],{},"Known vulnerabilities in operating systems, applications, and network devices",[30,838,839],{},"Misconfigurations that could expose systems to attack",[30,841,842],{},"Weak or default credentials on internet-facing services",[30,844,845],{},"Missing security patches",[30,847,848],{},"Other security weaknesses visible from the external network",[19,850,852],{"id":851},"what-are-the-asv-scan-requirements","What are the ASV scan requirements?",[15,854,855],{},"PCI DSS requires:",[27,857,858,864,870,876,882],{},[30,859,860,863],{},[33,861,862],{},"Quarterly scans"," — external vulnerability scans must be performed at least once every 90 days",[30,865,866,869],{},[33,867,868],{},"Passing results"," — scans must achieve a passing status, meaning no vulnerabilities with a CVSS score of 4.0 or higher remain unresolved",[30,871,872,875],{},[33,873,874],{},"Scan coverage"," — all externally facing IP addresses and domains in scope must be included",[30,877,878,881],{},[33,879,880],{},"Rescans after remediation"," — if a scan fails, vulnerabilities must be remediated and a rescan performed to confirm resolution",[30,883,884,887],{},[33,885,886],{},"Scan after significant changes"," — additional scans may be required after significant infrastructure changes",[19,889,891],{"id":890},"how-do-asv-scans-work","How do ASV scans work?",[15,893,894],{},"The ASV scan process typically follows these steps:",[500,896,897,903,909,915,921,927,933],{},[30,898,899,902],{},[33,900,901],{},"Scope definition"," — the organization identifies all external IP addresses and domains in the cardholder data environment",[30,904,905,908],{},[33,906,907],{},"Scan execution"," — the ASV performs automated vulnerability scanning against the defined scope",[30,910,911,914],{},[33,912,913],{},"Results review"," — the ASV provides a report detailing identified vulnerabilities, their severity, and remediation guidance",[30,916,917,920],{},[33,918,919],{},"Dispute resolution"," — if the organization believes a finding is a false positive, it can submit a dispute to the ASV with supporting evidence",[30,922,923,926],{},[33,924,925],{},"Remediation"," — the organization addresses identified vulnerabilities",[30,928,929,932],{},[33,930,931],{},"Rescan"," — if needed, the ASV performs additional scans to confirm remediation",[30,934,935,938],{},[33,936,937],{},"Attestation"," — the ASV provides a scan attestation confirming the results",[19,940,942],{"id":941},"what-is-the-difference-between-passing-and-failing-asv-scans","What is the difference between passing and failing ASV scans?",[15,944,945],{},"A scan is considered passing when:",[27,947,948,951,954],{},[30,949,950],{},"No vulnerabilities with a CVSS base score of 4.0 or higher are present",[30,952,953],{},"No automatic failure conditions exist (such as DNS zone transfers, unrestricted SQL access, or use of SSL\u002Fearly TLS)",[30,955,956],{},"All components in scope have been successfully scanned",[15,958,959],{},"Failing scans must be addressed before the organization can demonstrate compliance for that quarter.",[19,961,963],{"id":962},"what-is-the-difference-between-asv-scans-and-penetration-testing","What is the difference between ASV scans and penetration testing?",[15,965,966],{},"ASV scans and penetration testing serve different purposes:",[27,968,969,975],{},[30,970,971,974],{},[33,972,973],{},"ASV scans"," are automated external vulnerability scans required quarterly, focused on identifying known vulnerabilities",[30,976,977,980],{},[33,978,979],{},"Penetration testing"," involves manual testing by skilled testers who attempt to exploit vulnerabilities and chain findings together",[15,982,983],{},"Both are required by PCI DSS, but they serve complementary functions. ASV scans provide broad, frequent coverage while penetration tests provide deeper, more targeted analysis.",[19,985,987],{"id":986},"how-do-you-choose-an-asv","How do you choose an ASV?",[15,989,990],{},"The PCI SSC maintains a list of approved scanning vendors on its website. When selecting an ASV, consider:",[27,992,993,996,999,1002,1005],{},[30,994,995],{},"Quality and usability of scan reports",[30,997,998],{},"False positive rates and dispute resolution processes",[30,1000,1001],{},"Customer support responsiveness",[30,1003,1004],{},"Integration capabilities with your security tools",[30,1006,1007],{},"Pricing structure",[19,1009,1011],{"id":1010},"how-does-episki-help-with-asv-scans","How does episki help with ASV scans?",[15,1013,1014,1015,193],{},"episki tracks your ASV scan schedule, stores scan results, and monitors remediation of identified vulnerabilities. The platform alerts you when quarterly scans are due and flags overdue remediation items. Learn more on our ",[189,1016,192],{"href":191},{"title":195,"searchDepth":196,"depth":196,"links":1018},[1019],{"id":820,"depth":196,"text":821,"children":1020},[1021,1022,1023,1024,1025,1026,1027],{"id":827,"depth":201,"text":828},{"id":851,"depth":201,"text":852},{"id":890,"depth":201,"text":891},{"id":941,"depth":201,"text":942},{"id":962,"depth":201,"text":963},{"id":986,"depth":201,"text":987},{"id":1010,"depth":201,"text":1011},{},"\u002Fglossary\u002Fasv",[213],[215,216,217,1032,218],"penetration-testing",{"title":1034,"description":1035},"Approved Scanning Vendor (ASV): PCI DSS Scan Requirements","An ASV is a PCI SSC-certified company that runs external vulnerability scans. Learn when ASV scans are required, how to pass, and what happens if you fail.","asv","8.glossary\u002Fasv","1RCuGF3FH1uv6KD3UKnip7mN31_pxDH7c5aUf0urTlM",[1040,1328],{"id":1041,"title":1042,"body":1043,"description":1300,"extension":207,"faq":1301,"frameworkSlug":213,"lastUpdated":208,"meta":1315,"navigation":210,"path":1316,"relatedTerms":1317,"relatedTopics":1319,"seo":1323,"stem":1326,"__hash__":1327},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fasv-program.md","PCI DSS ASV Program and Quarterly External Scans",{"type":7,"value":1044,"toc":1290},[1045,1049,1052,1055,1059,1062,1065,1079,1082,1086,1089,1131,1134,1138,1141,1203,1206,1210,1213,1216,1220,1223,1226,1230,1280,1284],[10,1046,1048],{"id":1047},"what-the-pci-dss-asv-program-is","What the PCI DSS ASV program is",[15,1050,1051],{},"The Approved Scanning Vendor (ASV) program is the PCI Security Standards Council's accreditation scheme for firms that perform the external vulnerability scans PCI DSS requires. Under PCI DSS Requirement 11.3.2, every organization with internet-facing systems in the cardholder data environment must run external vulnerability scans at least quarterly and after any significant change, and those scans must be performed by an ASV. Only firms listed on the PCI SSC's public ASV list can produce reports that satisfy PCI DSS; scans from unaccredited scanners or purely internal tooling do not count.",[15,1053,1054],{},"ASVs earn their status by passing an annual PCI SSC qualification, running their scanning tooling through a rigorous validation environment, and employing certified ASV employees. The PCI SSC maintains the master list of ASVs and publishes updates as firms are added, renewed, or removed. Selecting an ASV is therefore both a PCI DSS compliance decision and a security decision: the ASV's scanners, processes, and analyst capacity materially shape the quality of your external vulnerability data.",[10,1056,1058],{"id":1057},"how-quarterly-external-scans-work","How quarterly external scans work",[15,1060,1061],{},"PCI DSS Requirement 11.3.2 mandates external vulnerability scanning at least once every three months, with every quarterly scan producing a passing result. The ASV configures scanning against the internet-facing IP ranges and fully qualified domain names in the cardholder data environment. The ASV runs automated vulnerability checks, produces a scan report, and works with you through dispute and remediation until the scan passes.",[15,1063,1064],{},"A passing PCI DSS ASV scan has:",[27,1066,1067,1070,1073,1076],{},[30,1068,1069],{},"No vulnerabilities rated CVSS 4.0 or higher that remain exploitable after validation",[30,1071,1072],{},"No \"automatic failure\" findings such as SQL injection, cross-site scripting on sensitive pages, insecure remote access, or default passwords on any accessible service",[30,1074,1075],{},"No evidence that the scan was inappropriately restricted by firewall rules, rate limiting, or intrusion prevention systems",[30,1077,1078],{},"All in-scope hosts successfully scanned, not marked as unreachable without documented justification",[15,1080,1081],{},"If any of those conditions fail, the scan fails. You remediate the finding, request a rescan, and repeat until the quarter closes with a clean result. The PCI DSS rule of four is strict: you need four passing quarterly ASV scans per reporting period, not four attempted scans. Missing a quarter is a PCI DSS finding your QSA will flag.",[10,1083,1085],{"id":1084},"remediation-timelines-and-workflow","Remediation timelines and workflow",[15,1087,1088],{},"A realistic PCI DSS ASV cadence looks like this:",[500,1090,1091,1097,1103,1109,1115,1120,1125],{},[30,1092,1093,1096],{},[33,1094,1095],{},"Scan window opens"," at the start of each quarter. You schedule the scan with your ASV, confirm the IP ranges and domains in scope, and update any authentication material the scanner needs.",[30,1098,1099,1102],{},[33,1100,1101],{},"Initial scan runs"," -- typically overnight or over a weekend to avoid business impact.",[30,1104,1105,1108],{},[33,1106,1107],{},"Results are delivered"," within a few business days. Your team reviews findings with the ASV.",[30,1110,1111,1114],{},[33,1112,1113],{},"Disputes are raised"," for false positives, compensating controls, or findings that do not apply in context. The ASV evaluates evidence and either accepts the dispute (the finding is suppressed) or rejects it (you remediate).",[30,1116,1117,1119],{},[33,1118,925],{}," -- you patch, reconfigure, or retire affected components.",[30,1121,1122,1124],{},[33,1123,931],{}," -- the ASV reruns the scan or a targeted subset. If clean, the quarter passes. If not, loop back.",[30,1126,1127,1130],{},[33,1128,1129],{},"Final passing report"," is archived for your QSA and retained for at least 12 months.",[15,1132,1133],{},"PCI DSS does not prescribe an absolute remediation deadline inside a quarter, but practical limits apply: the quarter itself is the deadline. If you cannot remediate and rescan to a passing result before the next quarter begins, you have a PCI DSS finding. Well-run programs aim to pass the first scan of every quarter within two to three weeks, leaving buffer for unexpected findings.",[10,1135,1137],{"id":1136},"selecting-an-asv","Selecting an ASV",[15,1139,1140],{},"The PCI SSC does not rank ASVs, so selection is up to you. Evaluate prospective ASVs against the following criteria:",[27,1142,1143,1149,1155,1161,1167,1173,1179,1185,1191,1197],{},[30,1144,1145,1148],{},[33,1146,1147],{},"PCI SSC listing"," -- confirm the firm is on the current ASV list. Accreditation lapses.",[30,1150,1151,1154],{},[33,1152,1153],{},"Scanning technology"," -- ask which engine powers their scanning (commercial, open source, proprietary) and how frequently their vulnerability signatures update.",[30,1156,1157,1160],{},[33,1158,1159],{},"Coverage of your stack"," -- if you run container workloads, serverless functions, or unusual platforms, confirm the ASV can scan them.",[30,1162,1163,1166],{},[33,1164,1165],{},"Authenticated scan support"," -- most PCI DSS ASV scans are unauthenticated, but some findings require credentialed validation during dispute.",[30,1168,1169,1172],{},[33,1170,1171],{},"Analyst depth"," -- an ASV with strong analysts accelerates dispute resolution dramatically. Ask how many certified ASV employees they have and what response SLAs they offer.",[30,1174,1175,1178],{},[33,1176,1177],{},"Reporting portal"," -- review the portal used to schedule scans, review findings, manage disputes, and download attestations. Clunky portals waste security team time every quarter.",[30,1180,1181,1184],{},[33,1182,1183],{},"Integration options"," -- API, SSO, ticketing integrations (Jira, ServiceNow), and export formats that feed your evidence system of record.",[30,1186,1187,1190],{},[33,1188,1189],{},"Pricing model"," -- per-IP, per-domain, or flat-rate. Confirm rescan fees and what \"significant change\" scans cost.",[30,1192,1193,1196],{},[33,1194,1195],{},"Dispute and escalation process"," -- how quickly can you get an analyst on a call when a finding is blocking a passing scan?",[30,1198,1199,1202],{},[33,1200,1201],{},"References"," -- ask for references from organizations of similar size and stack.",[15,1204,1205],{},"Many organizations pair their ASV with the same firm that provides their QSA services, though they are distinct programs with distinct accreditations. If you choose the same firm, confirm they can operationally keep the two functions independent.",[10,1207,1209],{"id":1208},"internal-scanning-and-the-bigger-pci-dss-picture","Internal scanning and the bigger PCI DSS picture",[15,1211,1212],{},"External ASV scans are only half of PCI DSS Requirement 11.3. You must also perform internal vulnerability scans at least quarterly and after significant change, re-scanning until all high-risk vulnerabilities are resolved. Internal scans can be performed by your own staff with commercial scanning tools -- they do not require an ASV. PCI DSS v4.0 tightens expectations on internal scan coverage, authenticated scanning, and risk-ranking of findings.",[15,1214,1215],{},"Together, ASV scans, internal scans, penetration testing, and segmentation testing make up the testing stack that Requirement 11 demands. ASV reports feed your Attestation of Compliance, your QSA's testing procedures, and your own board reporting on vulnerability posture.",[10,1217,1219],{"id":1218},"how-this-fits-into-pci-dss-compliance","How this fits into PCI DSS compliance",[15,1221,1222],{},"Quarterly ASV scans are one of the most visible artifacts in a PCI DSS program. Your acquirer often reviews ASV attestations alongside your SAQ or ROC, card brands may audit ASV records during a breach investigation, and QSAs use ASV history as an early signal of program maturity. A clean ASV history with promptly resolved findings tells a compelling story. A history of missed quarters, unresolved disputes, or gaps in coverage does the opposite and almost always triggers deeper testing during an assessment.",[15,1224,1225],{},"ASV scanning is also closely tied to PCI DSS scope. Every time your external attack surface changes -- new domains, new public IPs, new cloud environments -- the ASV scope must be updated. Organizations that treat the ASV contract as set-and-forget often discover during an assessment that their ASV has been scanning a stale inventory for quarters, invalidating the PCI DSS evidence they thought they had.",[10,1227,1229],{"id":1228},"common-mistakes","Common mistakes",[27,1231,1232,1238,1244,1250,1256,1262,1268,1274],{},[30,1233,1234,1237],{},[33,1235,1236],{},"Scoping the ASV to a subset of internet-facing assets",", leaving cardholder-data-affecting systems unscanned.",[30,1239,1240,1243],{},[33,1241,1242],{},"Ignoring new domains and cloud resources"," until the ASV renewal, creating gaps that a QSA will discover.",[30,1245,1246,1249],{},[33,1247,1248],{},"Allowing firewall or WAF rules to block the ASV scanner",", producing \"unable to scan\" findings that invalidate the scan.",[30,1251,1252,1255],{},[33,1253,1254],{},"Suppressing findings without documented compensating controls"," -- ASV disputes must be evidence-backed.",[30,1257,1258,1261],{},[33,1259,1260],{},"Missing a quarter because a rescan slipped",", which produces a PCI DSS finding that carries into the ROC.",[30,1263,1264,1267],{},[33,1265,1266],{},"Treating ASV scans as a substitute for internal scans or penetration testing"," -- they are not interchangeable under PCI DSS.",[30,1269,1270,1273],{},[33,1271,1272],{},"Relying on default credentials or test accounts"," on any internet-facing system, which is an automatic ASV failure.",[30,1275,1276,1279],{},[33,1277,1278],{},"Procuring ASV services purely on price",", then discovering the support model cannot keep up with dispute volume.",[10,1281,1283],{"id":1282},"how-episki-helps","How episki helps",[15,1285,1286,1287,193],{},"episki centralizes every ASV scan, dispute, and remediation ticket against the specific PCI DSS requirement it supports, so quarter-over-quarter evidence is always at hand. We connect to your ASV portal, reconcile scanned assets against your cloud inventory, and route findings to engineering owners with remediation SLAs tied back to the PCI DSS requirement they satisfy. See how we support continuous PCI DSS evidence on the ",[189,1288,1289],{"href":191},"PCI DSS hub",{"title":195,"searchDepth":196,"depth":196,"links":1291},[1292,1293,1294,1295,1296,1297,1298,1299],{"id":1047,"depth":196,"text":1048},{"id":1057,"depth":196,"text":1058},{"id":1084,"depth":196,"text":1085},{"id":1136,"depth":196,"text":1137},{"id":1208,"depth":196,"text":1209},{"id":1218,"depth":196,"text":1219},{"id":1228,"depth":196,"text":1229},{"id":1282,"depth":196,"text":1283},"A practical guide to the PCI DSS Approved Scanning Vendor (ASV) program, quarterly external vulnerability scans, remediation timelines, and how to select the right ASV.",{"items":1302},[1303,1306,1309,1312],{"label":1304,"content":1305},"What is a PCI DSS ASV?","An Approved Scanning Vendor (ASV) is an organization certified by the PCI Security Standards Council to perform the external vulnerability scans required by PCI DSS Requirement 11.3.2. Only ASVs on the PCI SSC's published list can produce scan reports that satisfy PCI DSS.",{"label":1307,"content":1308},"How often are PCI DSS ASV scans required?","PCI DSS requires external ASV scans at least quarterly, plus an additional scan after any significant change to the in-scope environment. All four quarterly scans must have a passing result during the reporting period.",{"label":1310,"content":1311},"What counts as a passing ASV scan?","A passing ASV scan has no vulnerabilities rated CVSS 4.0 or higher after validation and no automatic failures such as default credentials or cross-site scripting on accessible pages. Failed scans must be remediated and rescanned until a clean, passing result is produced.",{"label":1313,"content":1314},"Who needs PCI DSS ASV scans?","Any organization with internet-facing systems in the cardholder data environment must run quarterly ASV scans. This includes most merchants accepting card-not-present transactions and all service providers that handle cardholder data over the internet.",{},"\u002Fframeworks\u002Fpci\u002Fasv-program",[1036,215,218,1318],"vulnerability-management",[1320,1032,1321,1322],"requirements","scope-reduction","qsa-selection",{"title":1324,"description":1325},"PCI DSS ASV Program: Quarterly Scans, Remediation & Vendor Selection","Everything you need to know about the PCI DSS ASV program — quarterly external vulnerability scans, passing thresholds, remediation timelines, and selecting an Approved Scanning Vendor.","5.frameworks\u002Fpci\u002Fasv-program","czpbkV8MpfNBucbxY5kpFREMCUA70p5n94ntk8vGlFY",{"id":1329,"title":1330,"body":1331,"description":1689,"extension":207,"faq":1690,"frameworkSlug":213,"lastUpdated":208,"meta":1704,"navigation":210,"path":1705,"relatedTerms":1706,"relatedTopics":1708,"seo":1711,"stem":1714,"__hash__":1715},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fcompliance-levels.md","PCI DSS Compliance Levels",{"type":7,"value":1332,"toc":1668},[1333,1337,1340,1347,1351,1355,1361,1366,1380,1385,1399,1407,1411,1416,1420,1430,1438,1442,1447,1451,1460,1463,1467,1472,1476,1486,1489,1493,1496,1500,1506,1510,1520,1524,1529,1533,1540,1543,1547,1550,1582,1585,1589,1593,1596,1600,1607,1611,1614,1618,1626,1630,1633,1665],[10,1334,1336],{"id":1335},"how-pci-dss-compliance-levels-work","How PCI DSS compliance levels work",[15,1338,1339],{},"PCI DSS applies universally to any organization that stores, processes, or transmits cardholder data. However, the validation requirements -- how you demonstrate compliance -- vary based on your transaction volume and business type. The payment card brands (Visa, Mastercard, American Express, Discover, and JCB) each define their own compliance level thresholds, though the levels are broadly similar.",[15,1341,1342,1343,1346],{},"Understanding your compliance level is essential for planning your ",[189,1344,1345],{"href":191},"PCI DSS compliance"," program. Your level determines whether you need a formal on-site assessment by a Qualified Security Assessor (QSA) or can self-validate using a Self-Assessment Questionnaire (SAQ).",[10,1348,1350],{"id":1349},"merchant-compliance-levels","Merchant compliance levels",[19,1352,1354],{"id":1353},"level-1-largest-merchants","Level 1 - Largest merchants",[15,1356,1357,1360],{},[33,1358,1359],{},"Transaction threshold:"," More than 6 million card transactions per year across all channels (Visa and Mastercard). American Express sets this at 2.5 million transactions.",[15,1362,1363],{},[33,1364,1365],{},"Validation requirements:",[27,1367,1368,1371,1374,1377],{},[30,1369,1370],{},"Annual Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA)",[30,1372,1373],{},"Quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)",[30,1375,1376],{},"Attestation of Compliance (AOC) signed by the QSA and an officer of the organization",[30,1378,1379],{},"Annual penetration test",[15,1381,1382],{},[33,1383,1384],{},"Who falls into Level 1:",[27,1386,1387,1390,1393,1396],{},[30,1388,1389],{},"Major retailers, airlines, and hospitality chains",[30,1391,1392],{},"Large e-commerce platforms",[30,1394,1395],{},"Any merchant that has experienced a data breach resulting in account data compromise (regardless of transaction volume)",[30,1397,1398],{},"Any merchant that a payment brand identifies as Level 1 at its discretion",[15,1400,1401,1402,1406],{},"Level 1 assessments are the most rigorous and expensive. The ROC process involves detailed evidence review, on-site interviews, system sampling, and testing of every applicable control across all 12 ",[189,1403,1405],{"href":1404},"\u002Fframeworks\u002Fpci\u002Frequirements","PCI DSS requirements",". Assessments typically take several weeks to several months depending on the size and complexity of the cardholder data environment.",[19,1408,1410],{"id":1409},"level-2-mid-size-merchants","Level 2 - Mid-size merchants",[15,1412,1413,1415],{},[33,1414,1359],{}," 1 million to 6 million card transactions per year (Visa and Mastercard).",[15,1417,1418],{},[33,1419,1365],{},[27,1421,1422,1425,1428],{},[30,1423,1424],{},"Annual Self-Assessment Questionnaire (SAQ) appropriate to the merchant's payment processing environment",[30,1426,1427],{},"Quarterly ASV vulnerability scans",[30,1429,134],{},[15,1431,1432,1433,1437],{},"Some acquiring banks may require Level 2 merchants to complete a ROC or engage a QSA to validate their SAQ, particularly if the merchant operates in a high-risk industry or has experienced security incidents. The specific SAQ type depends on how the merchant processes payments -- see the ",[189,1434,1436],{"href":1435},"\u002Fframeworks\u002Fpci\u002Fself-assessment-questionnaire","SAQ guide"," for details.",[19,1439,1441],{"id":1440},"level-3-e-commerce-merchants","Level 3 - E-commerce merchants",[15,1443,1444,1446],{},[33,1445,1359],{}," 20,000 to 1 million e-commerce transactions per year (Visa). Mastercard defines Level 3 as merchants processing 20,000 to 1 million total transactions.",[15,1448,1449],{},[33,1450,1365],{},[27,1452,1453,1456,1458],{},[30,1454,1455],{},"Annual SAQ appropriate to the merchant's environment",[30,1457,1427],{},[30,1459,134],{},[15,1461,1462],{},"Level 3 was originally designed to address e-commerce merchants specifically, recognizing the elevated risk of card-not-present transactions. In practice, the validation requirements are similar to Level 2, but the threshold is significantly lower for online-only merchants.",[19,1464,1466],{"id":1465},"level-4-smallest-merchants","Level 4 - Smallest merchants",[15,1468,1469,1471],{},[33,1470,1359],{}," Fewer than 20,000 e-commerce transactions per year and fewer than 1 million total transactions across all channels.",[15,1473,1474],{},[33,1475,1365],{},[27,1477,1478,1481,1484],{},[30,1479,1480],{},"Annual SAQ appropriate to the merchant's environment (recommended but determined by acquirer)",[30,1482,1483],{},"Quarterly ASV vulnerability scans (if applicable to the SAQ type)",[30,1485,134],{},[15,1487,1488],{},"Level 4 encompasses the vast majority of merchants worldwide. While the validation requirements are the least demanding, the PCI DSS requirements themselves still apply in full. A data breach at a Level 4 merchant carries the same consequences as one at a Level 1 merchant. Many acquiring banks set their own requirements for Level 4 merchants, and some may not actively enforce SAQ completion, which unfortunately leads to gaps in security.",[10,1490,1492],{"id":1491},"service-provider-compliance-levels","Service provider compliance levels",[15,1494,1495],{},"Service providers -- organizations that store, process, or transmit cardholder data on behalf of other entities, or that could affect the security of cardholder data -- have their own compliance levels.",[19,1497,1499],{"id":1498},"service-provider-level-1","Service provider Level 1",[15,1501,1502,1505],{},[33,1503,1504],{},"Threshold:"," More than 300,000 card transactions per year (Visa) or any service provider that stores, processes, or transmits more than 300,000 Mastercard transactions.",[15,1507,1508],{},[33,1509,1365],{},[27,1511,1512,1515,1517],{},[30,1513,1514],{},"Annual ROC by a QSA",[30,1516,1427],{},[30,1518,1519],{},"Semi-annual segmentation penetration testing (more frequent than merchant requirements)",[19,1521,1523],{"id":1522},"service-provider-level-2","Service provider Level 2",[15,1525,1526,1528],{},[33,1527,1504],{}," Fewer than 300,000 card transactions per year.",[15,1530,1531],{},[33,1532,1365],{},[27,1534,1535,1538],{},[30,1536,1537],{},"Annual SAQ-D for Service Providers",[30,1539,1427],{},[15,1541,1542],{},"Service providers face additional PCI DSS requirements beyond those for merchants, including change detection mechanisms, penetration testing of segmentation controls every six months, and documented responsibilities in customer agreements. Many payment brands maintain public registries of validated service providers that merchants can reference.",[10,1544,1546],{"id":1545},"payment-brand-variations","Payment brand variations",[15,1548,1549],{},"While the levels described above represent the general framework, each payment brand has specific nuances:",[27,1551,1552,1558,1564,1570,1576],{},[30,1553,1554,1557],{},[33,1555,1556],{},"Visa"," distinguishes between e-commerce and total transaction counts for Levels 3 and 4",[30,1559,1560,1563],{},[33,1561,1562],{},"Mastercard"," includes a \"Site Data Protection\" (SDP) program with registration requirements",[30,1565,1566,1569],{},[33,1567,1568],{},"American Express"," uses a lower Level 1 threshold (2.5 million transactions) and refers to its program as the Data Security Operating Policy (DSOP)",[30,1571,1572,1575],{},[33,1573,1574],{},"Discover"," follows a similar four-level structure but determines levels based on Discover-brand transactions specifically",[30,1577,1578,1581],{},[33,1579,1580],{},"JCB"," follows a structure aligned with Visa but with its own compliance program requirements",[15,1583,1584],{},"Organizations that accept multiple card brands must meet the most stringent level applicable across all brands. If you process 3 million Visa transactions (Level 2 for Visa) but 3 million American Express transactions (Level 1 for Amex), you would need to meet Level 1 validation requirements.",[10,1586,1588],{"id":1587},"how-compliance-levels-affect-your-program","How compliance levels affect your program",[19,1590,1592],{"id":1591},"assessment-cost-and-effort","Assessment cost and effort",[15,1594,1595],{},"Level 1 assessments involving a QSA engagement can cost anywhere from $50,000 to over $500,000 depending on the complexity of the environment, the number of locations, and the maturity of existing controls. Self-assessment at Levels 2 through 4 is less expensive but still requires significant internal effort to gather evidence, complete the questionnaire accurately, and maintain documentation.",[19,1597,1599],{"id":1598},"scope-reduction-benefits","Scope reduction benefits",[15,1601,1602,1606],{},[189,1603,1605],{"href":1604},"\u002Fframeworks\u002Fpci\u002Fscope-reduction","PCI DSS scope reduction"," techniques benefit organizations at every level. For Level 1 merchants, a smaller cardholder data environment means a shorter, less expensive QSA engagement. For Level 2 through 4 merchants, scope reduction may qualify you for a simpler SAQ type, reducing the number of questions from over 300 (SAQ D) to as few as 22 (SAQ A).",[19,1608,1610],{"id":1609},"acquirer-requirements","Acquirer requirements",[15,1612,1613],{},"Your acquiring bank (the bank that processes card transactions on your behalf) is ultimately responsible for ensuring your compliance. Acquirers may impose requirements beyond the minimum defined by the payment brands. Some acquirers require Level 2 merchants to undergo QSA assessments, mandate specific SAQ types, or set deadlines for compliance validation that differ from the payment brand's timelines.",[19,1615,1617],{"id":1616},"breach-consequences-by-level","Breach consequences by level",[15,1619,1620,1621,1625],{},"A data breach can result in escalation to a higher compliance level, significant fines from payment brands (ranging from $5,000 to $100,000 per month of non-compliance), forensic investigation costs, and potential loss of the ability to process card payments. These consequences apply regardless of compliance level, which is why organizations at every level in the ",[189,1622,1624],{"href":1623},"\u002Findustry\u002Ffinance","fintech industry"," and beyond should invest in robust security controls rather than treating compliance as a box-checking exercise.",[10,1627,1629],{"id":1628},"determining-your-level","Determining your level",[15,1631,1632],{},"To determine your compliance level:",[500,1634,1635,1641,1647,1653,1659],{},[30,1636,1637,1640],{},[33,1638,1639],{},"Count your annual transactions"," across all channels and all payment brands",[30,1642,1643,1646],{},[33,1644,1645],{},"Identify which payment brands you accept"," and check each brand's specific thresholds",[30,1648,1649,1652],{},[33,1650,1651],{},"Consult your acquiring bank"," for any additional requirements or level assignments",[30,1654,1655,1658],{},[33,1656,1657],{},"Consider breach history"," -- a prior breach may automatically place you at Level 1",[30,1660,1661,1664],{},[33,1662,1663],{},"Plan for growth"," -- if you are approaching a threshold, plan for the next level's validation requirements proactively",[15,1666,1667],{},"Your compliance level is not static. As transaction volumes grow, you may move to a higher level with more demanding validation requirements. Building a mature compliance program early ensures a smoother transition when that time comes.",{"title":195,"searchDepth":196,"depth":196,"links":1669},[1670,1671,1677,1681,1682,1688],{"id":1335,"depth":196,"text":1336},{"id":1349,"depth":196,"text":1350,"children":1672},[1673,1674,1675,1676],{"id":1353,"depth":201,"text":1354},{"id":1409,"depth":201,"text":1410},{"id":1440,"depth":201,"text":1441},{"id":1465,"depth":201,"text":1466},{"id":1491,"depth":196,"text":1492,"children":1678},[1679,1680],{"id":1498,"depth":201,"text":1499},{"id":1522,"depth":201,"text":1523},{"id":1545,"depth":196,"text":1546},{"id":1587,"depth":196,"text":1588,"children":1683},[1684,1685,1686,1687],{"id":1591,"depth":201,"text":1592},{"id":1598,"depth":201,"text":1599},{"id":1609,"depth":201,"text":1610},{"id":1616,"depth":201,"text":1617},{"id":1628,"depth":196,"text":1629},"An explanation of PCI DSS merchant and service provider compliance levels, transaction thresholds, and validation requirements for each level.",{"items":1691},[1692,1695,1698,1701],{"label":1693,"content":1694},"How do I determine my PCI DSS compliance level?","Your level is based on annual card transaction volume across all channels and payment brands. Merchant Level 1 is 6+ million transactions, Level 2 is 1–6 million, Level 3 is 20,000–1 million e-commerce transactions, and Level 4 is everything below those thresholds. Your acquiring bank may also assign a higher level.",{"label":1696,"content":1697},"What is the difference between SAQ and ROC in PCI DSS?","A Self-Assessment Questionnaire (SAQ) is a self-validation tool used by Level 2–4 merchants. A Report on Compliance (ROC) is a formal assessment conducted by a Qualified Security Assessor (QSA) and is required for Level 1 merchants. ROC assessments are significantly more rigorous and expensive.",{"label":1699,"content":1700},"Can a data breach change my PCI compliance level?","Yes. Any merchant that experiences a data breach resulting in account data compromise is automatically escalated to Level 1 regardless of transaction volume. Payment brands can also assign Level 1 status at their discretion.",{"label":1702,"content":1703},"How much does a PCI DSS Level 1 assessment cost?","Level 1 QSA assessments typically cost $50,000 to over $500,000 depending on environment complexity, number of locations, and control maturity. Self-assessment at Levels 2–4 is less expensive but still requires significant internal effort for evidence gathering and documentation.",{},"\u002Fframeworks\u002Fpci\u002Fcompliance-levels",[215,1707],"grc",[1320,1709,1710],"self-assessment-questionnaire","v4-changes",{"title":1712,"description":1713},"PCI DSS Compliance Levels Explained: Merchant Level 1–4 & Service Provider Requirements","PCI DSS merchant levels 1–4 and service provider levels explained — transaction thresholds, SAQ vs ROC validation, and what each level requires.","5.frameworks\u002Fpci\u002Fcompliance-levels","q9VxhLQLRZBdJPmHYvuWAhLc8o4cKzw19jyXrfSQ5Ww",{"id":1717,"title":1718,"advantages":1719,"body":1741,"checklist":2145,"cta":2154,"description":195,"extension":207,"faq":2157,"hero":2175,"lastUpdated":2191,"meta":2192,"name":430,"navigation":210,"path":191,"resources":2193,"seo":2206,"slug":213,"stats":2209,"stem":2219,"__hash__":2220},"frameworks\u002F5.frameworks\u002Fpci.md","Pci",[1720,1727,1734],{"title":1721,"description":1722,"bullets":1723},"Cardholder data mapped","Visualize systems, networks, and data flows tied to each DSS requirement.",[1724,1725,1726],"Track segmentation documentation and approvals","Connect SIEM and log tools for retention evidence","Link vulnerability scans and pen tests to controls",{"title":1728,"description":1729,"bullets":1730},"Task orchestration for engineering","Send prioritized remediation tasks to Jira or Linear with context.",[1731,1732,1733],"Auto-created tickets with required evidence","SLA tracking ensures high-risk remediations close on time","Change management logs sync back automatically",{"title":1735,"description":1736,"bullets":1737},"QSA-ready collaboration","Centralize requests, walkthroughs, and findings with secure file sharing.",[1738,1739,1740],"QSA comments resolve next to each control","Expiring links for sensitive diagrams","Exportable ROC narrative drafts",{"type":7,"value":1742,"toc":2132},[1743,1746,1753,1756,1759,1763,1770,1858,1861,1865,1872,1876,1888,1892,1899,1946,1958,1962,1973,1976,1979,1983,1998,2002,2005,2041,2049,2053,2056,2060,2072,2076,2079,2129],[10,1744,232],{"id":1745},"what-is-pci-dss",[15,1747,1748,1749,1752],{},"The Payment Card Industry Data Security Standard -- universally known as ",[189,1750,430],{"href":1751},"\u002Fglossary\u002Fpci-dss"," -- is the global baseline for protecting payment card data. Any organization that stores, processes, or transmits cardholder data is expected to meet PCI DSS, from a mom-and-pop e-commerce store to a Fortune 500 retailer and every payment processor in between. PCI DSS exists because card data is one of the most monetizable targets on the internet, and a single breach can expose millions of account numbers, trigger steep fines, and end businesses. PCI DSS translates decades of hard-won lessons into a prescriptive framework that security, engineering, and finance teams can operationalize.",[15,1754,1755],{},"PCI DSS is maintained by the Payment Card Industry Security Standards Council (PCI SSC), an independent standards body founded in 2006 by the five major payment brands: Visa, Mastercard, American Express, Discover, and JCB. The PCI SSC writes and publishes the standard, accredits assessors and scanning vendors, and runs supporting programs such as PA-DSS (now replaced by the PCI Secure Software Standard) and P2PE. While the PCI SSC owns the standard itself, it does not enforce PCI DSS. Enforcement is delegated to the card brands, which in turn push obligations down through acquiring banks and payment processors to merchants and service providers. In practice, your acquirer is the entity that tells you which PCI DSS validation path you owe and what happens if you fail it.",[15,1757,1758],{},"PCI DSS emerged from a patchwork of brand-specific programs in the early 2000s, including Visa's Cardholder Information Security Program (CISP) and Mastercard's Site Data Protection (SDP). PCI DSS v1.0 launched in December 2004. PCI DSS v2.0 arrived in 2010, v3.0 in 2013, v3.1 in 2015, v3.2 in 2016, v3.2.1 in 2018, and the long-anticipated PCI DSS v4.0 in March 2022, followed by v4.0.1 clarifications in June 2024. Organizations have until March 31, 2025 to fully meet the new \"future-dated\" PCI DSS v4.0 requirements. Each revision tightens controls around emerging threats: phishing-resistant authentication, e-commerce script tampering, automated log review, and customized approaches for mature security programs.",[10,1760,1762],{"id":1761},"the-12-pci-dss-requirements","The 12 PCI DSS requirements",[15,1764,1765,1766,1769],{},"PCI DSS organizes technical and operational controls across twelve core requirements grouped into six objectives. The full set of PCI DSS requirements is detailed on the ",[189,1767,1768],{"href":1404},"PCI DSS requirements page","; at a glance they are:",[500,1771,1772,1782,1788,1804,1810,1816,1822,1828,1834,1840,1846,1852],{},[30,1773,1774,1777,1778,193],{},[33,1775,1776],{},"Install and maintain network security controls"," -- firewalls and equivalent controls around the ",[189,1779,1781],{"href":1780},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment",[30,1783,1784,1787],{},[33,1785,1786],{},"Apply secure configurations to all system components"," -- hardening standards, default credential elimination, and secure build baselines.",[30,1789,1790,1793,1794,1798,1799,1803],{},[33,1791,1792],{},"Protect stored account data"," -- encryption, truncation, hashing, or ",[189,1795,1797],{"href":1796},"\u002Fglossary\u002Ftokenization","tokenization"," of the ",[189,1800,1802],{"href":1801},"\u002Fglossary\u002Fpan","PAN"," and prohibition on storing sensitive authentication data.",[30,1805,1806,1809],{},[33,1807,1808],{},"Protect cardholder data with strong cryptography during transmission"," over open, public networks.",[30,1811,1812,1815],{},[33,1813,1814],{},"Protect all systems and networks from malicious software"," -- anti-malware on in-scope systems and defenses against script-based threats.",[30,1817,1818,1821],{},[33,1819,1820],{},"Develop and maintain secure systems and software"," -- secure SDLC, patching, and vulnerability management for in-scope systems.",[30,1823,1824,1827],{},[33,1825,1826],{},"Restrict access to system components and cardholder data by business need to know"," -- least-privilege role design.",[30,1829,1830,1833],{},[33,1831,1832],{},"Identify users and authenticate access to system components"," -- unique IDs, strong authentication, and phishing-resistant MFA.",[30,1835,1836,1839],{},[33,1837,1838],{},"Restrict physical access to cardholder data"," -- physical security for facilities, media, and devices.",[30,1841,1842,1845],{},[33,1843,1844],{},"Log and monitor all access to system components and cardholder data"," -- centralized logging, daily review, and tamper protection.",[30,1847,1848,1851],{},[33,1849,1850],{},"Test security of systems and networks regularly"," -- ASV scans, internal scans, pen tests, and segmentation validation.",[30,1853,1854,1857],{},[33,1855,1856],{},"Support information security with organizational policies and programs"," -- governance, awareness, incident response, and third-party oversight.",[15,1859,1860],{},"Each PCI DSS requirement is broken into numbered sub-requirements with explicit testing procedures that an assessor follows line by line. The \"defined approach\" dictates specific controls; PCI DSS v4.0 also introduces a \"customized approach\" where mature organizations can meet a requirement's objective through alternative controls, documented in a controls matrix and targeted risk analysis.",[10,1862,1864],{"id":1863},"pci-dss-v40-changes","PCI DSS v4.0 changes",[15,1866,1867,1868,193],{},"PCI DSS v4.0 is the largest revision in more than a decade. Its headline shifts include a customized-approach validation path, mandatory multi-factor authentication for all access into the CDE, expanded requirements to detect and respond to e-commerce script tampering, targeted risk analyses replacing prescriptive frequencies, and stronger expectations for continuous security rather than point-in-time compliance. Several of the most material v4.0 controls became mandatory on March 31, 2025 after a two-year grace period. The full changelog, new testing procedures, and a migration checklist are covered in the ",[189,1869,1871],{"href":1870},"\u002Fframeworks\u002Fpci\u002Fv4-changes","PCI DSS v4.0 changes guide",[10,1873,1875],{"id":1874},"merchant-compliance-levels-1-4","Merchant compliance levels 1-4",[15,1877,1878,1879,1883,1884,1887],{},"Every merchant is assigned to one of four PCI DSS compliance levels based on annual card transaction volume across all channels. PCI DSS Level 1 covers merchants processing more than 6 million transactions per year and requires a formal Report on Compliance (ROC) signed by a ",[189,1880,1882],{"href":1881},"\u002Fglossary\u002Fqsa","QSA",". Level 2 covers 1-6 million transactions. Level 3 covers 20,000 to 1 million e-commerce transactions. Level 4 covers everything below those thresholds. Service providers have their own two-level structure. Your acquiring bank can also assign you a higher PCI DSS level at its discretion -- particularly after a breach. The ",[189,1885,1886],{"href":1705},"PCI DSS compliance levels page"," breaks down every threshold by card brand and the validation path each level owes.",[10,1889,1891],{"id":1890},"self-assessment-questionnaires-saqs","Self-Assessment Questionnaires (SAQs)",[15,1893,1894,1895,1898],{},"Merchants and service providers that are not required to complete a full PCI DSS Report on Compliance validate using a ",[189,1896,1897],{"href":211},"Self-Assessment Questionnaire",", or SAQ. The PCI SSC publishes nine SAQ types, each tailored to a specific acceptance channel and technology profile:",[27,1900,1901,1906,1911,1916,1921,1926,1931,1936],{},[30,1902,1903,1905],{},[33,1904,35],{}," -- card-not-present merchants that fully outsource all cardholder data functions.",[30,1907,1908,1910],{},[33,1909,41],{}," -- e-commerce merchants that partially outsource payment processing but host pages that could affect payment page security.",[30,1912,1913,1915],{},[33,1914,47],{}," -- merchants using only imprint machines or standalone dial-out terminals.",[30,1917,1918,1920],{},[33,1919,53],{}," -- merchants using only standalone IP-connected POI devices.",[30,1922,1923,1925],{},[33,1924,65],{}," -- merchants entering transactions into a virtual payment terminal.",[30,1927,1928,1930],{},[33,1929,59],{}," -- merchants with payment application systems connected to the internet.",[30,1932,1933,1935],{},[33,1934,77],{}," -- merchants using PCI-listed point-to-point encryption solutions.",[30,1937,1938,1941,1942,1945],{},[33,1939,1940],{},"SAQ D for Merchants"," and ",[33,1943,1944],{},"SAQ D for Service Providers"," -- the catch-all SAQs for entities that store cardholder data or do not qualify for a simpler SAQ.",[15,1947,1948,1949,1952,1953,1957],{},"Eligibility is narrow and precise. Picking the wrong SAQ is one of the most common PCI DSS mistakes -- and one that an acquiring bank or breach investigation can expose instantly. The ",[189,1950,1951],{"href":1435},"SAQ reference"," and the ",[189,1954,1956],{"href":1955},"\u002Fframeworks\u002Fpci\u002Fsaq-types-explained","SAQ types explained"," page walk through each SAQ's eligibility, question count, and typical pitfalls.",[10,1959,1961],{"id":1960},"cardholder-data-environment-cde-and-scoping","Cardholder data environment (CDE) and scoping",[15,1963,1964,1965,1967,1968,1972],{},"Every PCI DSS program begins with scoping. The ",[189,1966,1781],{"href":1780},", or CDE, is the set of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any system component that is connected to or could impact the security of those components. Determining what is in ",[189,1969,1971],{"href":1970},"\u002Fglossary\u002Fpci-scope","PCI scope"," is the single highest-leverage activity in a PCI DSS program -- it drives how many controls apply, how much evidence you collect, and how much your QSA engagement costs.",[15,1974,1975],{},"PCI DSS scoping has three categories: CDE systems that directly handle card data; connected-to systems that can route traffic to the CDE, authenticate CDE users, or otherwise interact with CDE components; and security-impacting systems that could affect CDE security even without direct connectivity (think SIEM, patch management, or anti-malware consoles). All three categories are in scope for PCI DSS.",[15,1977,1978],{},"Document your CDE with an annotated network diagram and a data-flow diagram for every payment channel. PCI DSS v4.0 makes these diagrams a requirement, not a nice-to-have, and your assessor will test them during every assessment.",[10,1980,1982],{"id":1981},"scope-reduction-strategies","Scope reduction strategies",[15,1984,1985,1986,1988,1989,1993,1994,1997],{},"Because PCI DSS obligations scale with the CDE, shrinking the CDE is the fastest way to cut PCI DSS cost and risk. Effective ",[189,1987,1605],{"href":1604}," typically combines four levers: strong ",[189,1990,1992],{"href":1991},"\u002Fframeworks\u002Fpci\u002Fnetwork-segmentation","network segmentation"," that isolates the CDE onto dedicated VLANs with tightly controlled firewall rules; ",[189,1995,1797],{"href":1996},"\u002Fframeworks\u002Fpci\u002Ftokenization-vs-encryption"," that replaces stored PANs with non-sensitive surrogates; PCI-listed point-to-point encryption (P2PE) that removes in-store networks from PCI scope; and outsourcing card capture to a validated service provider so your systems never touch real card data. Layered correctly, these strategies can reduce a PCI DSS assessment from hundreds of in-scope systems to a handful.",[10,1999,2001],{"id":2000},"key-pci-dss-roles-qsas-asvs-and-isas","Key PCI DSS roles: QSAs, ASVs, and ISAs",[15,2003,2004],{},"Three accredited roles support every PCI DSS program:",[27,2006,2007,2022,2035],{},[30,2008,2009,2016,2017,2021],{},[33,2010,2011,2012,2015],{},"Qualified Security Assessors (",[189,2013,2014],{"href":1881},"QSAs",")"," -- individuals and firms certified by the PCI SSC to perform on-site PCI DSS assessments, produce the ROC, and sign the Attestation of Compliance. Selecting the right QSA shapes your PCI DSS experience for years; the ",[189,2018,2020],{"href":2019},"\u002Fframeworks\u002Fpci\u002Fqsa-selection","QSA selection guide"," covers how to evaluate firms, cost drivers, and red flags.",[30,2023,2024,2030,2031,2034],{},[33,2025,2026,2027,2015],{},"Approved Scanning Vendors (",[189,2028,2029],{"href":1029},"ASVs"," -- PCI SSC-approved firms that run the quarterly external vulnerability scans required by PCI DSS Requirement 11.3.2. The ",[189,2032,2033],{"href":1316},"ASV program guide"," covers vendor selection, scanning cadence, passing thresholds, and remediation workflows.",[30,2036,2037,2040],{},[33,2038,2039],{},"Internal Security Assessors (ISAs)"," -- employees who have completed PCI SSC training and can complete certain internal PCI DSS assessments or support a QSA engagement. ISAs are a cost-effective way to build PCI DSS capability inside large programs.",[15,2042,2043,2044,2048],{},"Penetration testing (Requirement 11.4) sits alongside ASV scanning and is a frequent source of PCI DSS findings. The ",[189,2045,2047],{"href":2046},"\u002Fframeworks\u002Fpci\u002Fpenetration-testing","PCI DSS penetration testing guide"," covers internal vs external scope, segmentation testing, and frequency.",[10,2050,2052],{"id":2051},"penalties-for-non-compliance","Penalties for non-compliance",[15,2054,2055],{},"PCI DSS is not law, but non-compliance carries material financial consequences. Acquirers can levy fines of $5,000 to $100,000 per month for PCI DSS violations, pass fines down to merchants, raise transaction fees, or revoke payment processing privileges outright. After a confirmed breach of card data, a merchant typically faces a forensic PFI investigation, card brand fines, assessments for fraud losses, reissuance costs for compromised cards, and mandatory Level 1 PCI DSS validation going forward. Regulators and state attorneys general may also get involved, and the organization almost always faces litigation. In short, PCI DSS fines are rarely the largest line item -- the true cost of a breach is reputational damage, customer churn, and the fully loaded cost of breach response.",[10,2057,2059],{"id":2058},"pci-dss-vs-other-frameworks","PCI DSS vs other frameworks",[15,2061,2062,2063,2066,2067,2071],{},"PCI DSS is narrower and more prescriptive than most security frameworks. ISO 27001 is a management-system standard focused on the process of running an ISMS; it tells you how to manage risk but does not specify controls the way PCI DSS does. SOC 2 is an attestation framework where you define your own controls against the Trust Services Criteria; PCI DSS prescribes them. HIPAA and HITECH cover protected health information, not cardholder data. NIST CSF and NIST SP 800-53 offer control catalogues and risk management guidance that many organizations map into their PCI DSS program, especially under the v4.0 customized approach. PCI DSS is also one of the few frameworks with ongoing external validation -- ASV scans every quarter, penetration tests at least annually, and a full assessment every year. For businesses in the ",[189,2064,2065],{"href":1623},"finance industry"," or running ",[189,2068,2070],{"href":2069},"\u002Findustry\u002Fecommerce","e-commerce"," platforms, PCI DSS almost always becomes the binding constraint that the rest of the security program organizes around.",[10,2073,2075],{"id":2074},"getting-pci-compliant","Getting PCI compliant",[15,2077,2078],{},"A typical path to PCI DSS compliance looks like this:",[500,2080,2081,2087,2093,2099,2105,2111,2117,2123],{},[30,2082,2083,2086],{},[33,2084,2085],{},"Define scope"," -- inventory every place card data lives, moves, or could move. Produce annotated network and data-flow diagrams.",[30,2088,2089,2092],{},[33,2090,2091],{},"Reduce scope"," -- apply segmentation, tokenization, P2PE, and outsourcing to shrink the CDE before assessment.",[30,2094,2095,2098],{},[33,2096,2097],{},"Select your validation path"," -- confirm your PCI DSS level with your acquirer and determine whether you owe a ROC or an SAQ.",[30,2100,2101,2104],{},[33,2102,2103],{},"Gap assess"," -- map your current controls to every applicable PCI DSS requirement and prioritize remediation.",[30,2106,2107,2110],{},[33,2108,2109],{},"Remediate and document"," -- close gaps, write the policies and procedures PCI DSS expects, and stand up the logging, monitoring, scanning, and testing programs.",[30,2112,2113,2116],{},[33,2114,2115],{},"Engage your QSA or ASV"," -- commission the ASV scans, book the penetration test, and (for Level 1) schedule your QSA engagement early enough to allow remediation cycles.",[30,2118,2119,2122],{},[33,2120,2121],{},"Validate and attest"," -- produce the ROC or SAQ plus Attestation of Compliance, and submit to your acquirer on the required cadence.",[30,2124,2125,2128],{},[33,2126,2127],{},"Operate continuously"," -- PCI DSS v4.0 expects continuous monitoring, targeted risk analyses, and evidence that controls stay effective between assessments.",[15,2130,2131],{},"episki automates the bulk of the evidence collection, control testing, and QSA collaboration work so your PCI DSS program is audit-ready year-round instead of scrambling at the end of each cycle. If you are starting a new PCI DSS program or rebuilding an existing one, episki can shorten your path from scoping through Report on Compliance.",{"title":195,"searchDepth":196,"depth":196,"links":2133},[2134,2135,2136,2137,2138,2139,2140,2141,2142,2143,2144],{"id":1745,"depth":196,"text":232},{"id":1761,"depth":196,"text":1762},{"id":1863,"depth":196,"text":1864},{"id":1874,"depth":196,"text":1875},{"id":1890,"depth":196,"text":1891},{"id":1960,"depth":196,"text":1961},{"id":1981,"depth":196,"text":1982},{"id":2000,"depth":196,"text":2001},{"id":2051,"depth":196,"text":2052},{"id":2058,"depth":196,"text":2059},{"id":2074,"depth":196,"text":2075},{"title":2146,"description":2147,"items":2148},"PCI DSS playbook","Follow structured milestones from scoping through ROC submission.",[2149,2150,2151,2152,2153],"Automated scope confirmation questionnaires","Connector-backed logging and monitoring checks","Quarterly vulnerability and penetration testing tracker","Change-management evidence capture","ROC narrative template and artifact index",{"title":2155,"description":2156},"Keep PCI DSS audit-ready around the clock","Spin up your trial, sync evidence, and invite your QSA in a single day.",{"title":2158,"items":2159},"PCI DSS frequently asked questions",[2160,2163,2166,2169,2172],{"label":2161,"content":2162},"What are the PCI DSS compliance levels?","PCI DSS has four merchant levels based on annual transaction volume. Level 1 (over 6 million transactions) requires a formal Report on Compliance by a QSA. Levels 2-4 may self-assess using the appropriate Self-Assessment Questionnaire (SAQ). Service providers have two levels with different validation requirements.",{"label":2164,"content":2165},"What changed in PCI DSS 4.0?","PCI DSS 4.0 introduced a customized validation approach allowing organizations to meet objectives with alternative controls, expanded multi-factor authentication requirements, strengthened e-commerce and phishing protections, and added emphasis on continuous security rather than point-in-time compliance.",{"label":2167,"content":2168},"Who needs PCI DSS compliance?","Any organization that stores, processes, or transmits cardholder data must comply with PCI DSS. This includes merchants, payment processors, acquirers, issuers, and service providers. The scope is determined by your cardholder data environment (CDE).",{"label":2170,"content":2171},"How often is a PCI DSS assessment required?","PCI DSS assessments are required annually. Level 1 merchants and service providers must complete a formal assessment by a Qualified Security Assessor (QSA). Additionally, quarterly network vulnerability scans by an Approved Scanning Vendor (ASV) are required.",{"label":2173,"content":2174},"What is a cardholder data environment (CDE)?","The CDE includes all people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any systems connected to those components. Accurate CDE scoping is the foundation of an efficient PCI DSS assessment.",{"headline":2176,"title":2177,"description":2178,"links":2179},"PCI controls that stay current","Keep PCI DSS requirements passing even as your CDE evolves","episki maps DSS requirements, automates testing, and keeps QSAs collaborating in one secure workspace.",[2180,2184],{"label":2181,"icon":2182,"to":2183},"Start PCI trial","i-lucide-rocket","https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",{"label":2185,"icon":2186,"color":2187,"variant":2188,"to":2189,"target":2190},"Book a demo","i-lucide-calendar","neutral","subtle","\u002Fdemo","_blank","2026-04-27",{},{"headline":2194,"title":2194,"description":2195,"items":2196},"PCI enablement kit","Give leadership, ops, and QSAs a single source of truth.",[2197,2200,2203],{"title":2198,"description":2199},"CDE architecture report","Share sanitized diagrams and segmentation notes with prospects.",{"title":2201,"description":2202},"Risk and remediation digest","Weekly summary of open items, owners, and due dates.",{"title":2204,"description":2205},"Assessor workspace","Prebuilt template keeps every requirement, artifact, and note aligned.",{"title":2207,"description":2208},"PCI DSS Compliance Tool","Automate PCI DSS evidence collection, manage QSA collaboration, and keep cardholder data controls current. Start your free 14-day trial with episki.",[2210,2213,2216],{"value":2211,"description":2212},"90% automation","Evidence coverage across access, logging, segmentation, and monitoring.",{"value":2214,"description":2215},"QSA portal","Scoped access keeps your assessor in sync without endless spreadsheets.",{"value":2217,"description":2218},"Weekly drift checks","Automated alerts highlight misconfigurations before audits.","5.frameworks\u002Fpci","wxvQHRYeBHEsDrDF1QZg43Nio6AvwX3DWW21RftBG2c",{"id":2222,"title":2223,"body":2224,"comparison":2315,"competitorA":2359,"competitorB":2360,"cta":2361,"description":195,"extension":207,"faq":2364,"hero":2365,"lastUpdated":2191,"meta":2374,"navigation":210,"path":2375,"seo":2376,"slug":2379,"slugA":2380,"slugB":2381,"stem":2382,"verdict":2383,"__hash__":2387},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":7,"value":2225,"toc":2305},[2226,2230,2233,2237,2240,2246,2249,2253,2256,2259,2262,2266,2269,2272,2276,2279,2282,2286,2289,2292,2296,2299,2302],[10,2227,2229],{"id":2228},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[15,2231,2232],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[19,2234,2236],{"id":2235},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[15,2238,2239],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[15,2241,2242,2245],{},[33,2243,2244],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[15,2247,2248],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[19,2250,2252],{"id":2251},"the-dashboard-question","The dashboard question",[15,2254,2255],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[15,2257,2258],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[15,2260,2261],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[19,2263,2265],{"id":2264},"integration-depth","Integration depth",[15,2267,2268],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[15,2270,2271],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[19,2273,2275],{"id":2274},"pricing-opacity","Pricing opacity",[15,2277,2278],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[15,2280,2281],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[19,2283,2285],{"id":2284},"where-both-platforms-struggle","Where both platforms struggle",[15,2287,2288],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[15,2290,2291],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[19,2293,2295],{"id":2294},"the-case-for-a-different-approach","The case for a different approach",[15,2297,2298],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[15,2300,2301],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[15,2303,2304],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":195,"searchDepth":196,"depth":196,"links":2306},[2307],{"id":2228,"depth":196,"text":2229,"children":2308},[2309,2310,2311,2312,2313,2314],{"id":2235,"depth":201,"text":2236},{"id":2251,"depth":201,"text":2252},{"id":2264,"depth":201,"text":2265},{"id":2274,"depth":201,"text":2275},{"id":2284,"depth":201,"text":2285},{"id":2294,"depth":201,"text":2295},[2316,2320,2324,2329,2334,2339,2344,2349,2354],{"feature":1189,"competitorA":2317,"competitorB":2318,"episki":2319},"Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":2321,"competitorA":2322,"competitorB":2322,"episki":2323},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":2325,"competitorA":2326,"competitorB":2327,"episki":2328},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":2330,"competitorA":2331,"competitorB":2332,"episki":2333},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":2335,"competitorA":2336,"competitorB":2337,"episki":2338},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":2340,"competitorA":2341,"competitorB":2342,"episki":2343},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":2345,"competitorA":2346,"competitorB":2347,"episki":2348},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":2350,"competitorA":2351,"competitorB":2352,"episki":2353},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":2355,"competitorA":2356,"competitorB":2357,"episki":2358},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":2362,"description":2363},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",null,{"headline":2366,"title":2367,"description":2368,"links":2369},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[2370,2372],{"label":2371,"icon":2182,"to":2183},"Try episki free",{"label":2185,"icon":2373,"color":2187,"variant":2188,"to":2189,"target":2190},"i-lucide-message-circle",{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":2377,"description":2378},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":2384,"chooseB":2385,"chooseEpiski":2386},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","-9bT-xU4uDSMSn9zCOtrDaYtPz87mkvNHS5pQ2bXDTw",{"id":2389,"title":2359,"advantages":2390,"body":2412,"comparison":2463,"competitor":2359,"cta":2490,"description":195,"extension":207,"hero":2493,"lastUpdated":2191,"meta":2502,"navigation":210,"path":2503,"seo":2504,"slug":2380,"stem":2507,"__hash__":2508},"compare\u002F7.compare\u002Fdrata.md",[2391,2398,2405],{"title":2392,"description":2393,"bullets":2394},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[2395,2396,2397],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":2399,"description":2400,"bullets":2401},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[2402,2403,2404],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":2406,"description":2407,"bullets":2408},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[2409,2410,2411],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":7,"value":2413,"toc":2458},[2414,2418,2421,2424,2444,2448,2451,2455],[10,2415,2417],{"id":2416},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[15,2419,2420],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[15,2422,2423],{},"Some teams look for alternatives when they need:",[27,2425,2426,2432,2438],{},[30,2427,2428,2431],{},[33,2429,2430],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[30,2433,2434,2437],{},[33,2435,2436],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[30,2439,2440,2443],{},[33,2441,2442],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[10,2445,2447],{"id":2446},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[15,2449,2450],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[10,2452,2454],{"id":2453},"when-episki-shines","When episki shines",[15,2456,2457],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":195,"searchDepth":196,"depth":196,"links":2459},[2460,2461,2462],{"id":2416,"depth":196,"text":2417},{"id":2446,"depth":196,"text":2447},{"id":2453,"depth":196,"text":2454},[2464,2466,2467,2471,2475,2478,2482,2486],{"feature":1189,"episki":2319,"competitor":2465},"Tiered pricing based on framework count and company size",{"feature":2321,"episki":2323,"competitor":2322},{"feature":2468,"episki":2469,"competitor":2470},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":2472,"episki":2473,"competitor":2474},"Evidence collection","Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":2476,"episki":2343,"competitor":2477},"AI assistance","AI-powered compliance automation",{"feature":2479,"episki":2480,"competitor":2481},"Risk management","Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":2483,"episki":2484,"competitor":2485},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":2487,"episki":2488,"competitor":2489},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":2491,"description":2492},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":2494,"title":2495,"description":2496,"links":2497},"episki vs Drata","How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[2498,2500],{"label":2499,"icon":2182,"to":2183},"Start free trial",{"label":2501,"icon":2373,"color":2187,"variant":2188,"to":2189,"target":2190},"See a live demo",{},"\u002Fcompare\u002Fdrata",{"title":2505,"description":2506},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","cEQX4ERRc-uB7nEUxB1Uik-1ODue4boobvNZiV8Xrvk",{"id":2510,"title":2511,"api":2364,"authors":2512,"body":2518,"category":2654,"date":2655,"description":2656,"extension":207,"features":2364,"fixes":2364,"highlight":2364,"image":2657,"improvements":2364,"meta":2659,"navigation":210,"path":2660,"seo":2661,"stem":2662,"__hash__":2663},"posts\u002F3.now\u002Ftips.md","Tips for Building a Strong Security Culture",[2513],{"name":2514,"to":2515,"avatar":2516},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":2517},"\u002Fimages\u002Fjustinleapline.png",{"type":7,"value":2519,"toc":2646},[2520,2523,2526,2529,2532,2536,2539,2542,2545,2549,2552,2564,2567,2571,2574,2577,2580,2584,2587,2590,2593,2597,2600,2603,2606,2610,2613,2616,2619,2624,2634,2641],[15,2521,2522],{},"You can have the best firewall on the market, a mature vulnerability management program, and a SOC running 24\u002F7 — and still be one phishing email away from a serious incident.",[15,2524,2525],{},"Not because your tools failed. Because your people weren't part of the security equation.",[15,2527,2528],{},"Security culture is the difference between an organization where employees see security as someone else's job and one where they actively contribute to it. Building that culture is one of the hardest things a security leader can do — and one of the most valuable.",[15,2530,2531],{},"Here's what actually works.",[10,2533,2535],{"id":2534},"start-with-leadership-not-policy","Start With Leadership, Not Policy",[15,2537,2538],{},"Security culture doesn't start with a training video or an acceptable use policy. It starts at the top.",[15,2540,2541],{},"When executives treat security as a business priority — when they ask about risk posture in board meetings, when they model good security behavior, when they make it clear that security matters — that signal travels through the organization. When they treat it as an IT problem that lives in a different department, that signal travels too.",[15,2543,2544],{},"CISOs who want to build strong security cultures spend time educating and engaging their executive peers, not just their own teams. They make security visible at the leadership level — not as a compliance obligation, but as a business value. That top-down commitment creates the permission structure that everything else depends on.",[10,2546,2548],{"id":2547},"make-security-relevant-to-each-teams-work","Make Security Relevant to Each Team's Work",[15,2550,2551],{},"One of the most common mistakes in security awareness programs is treating every employee the same. A developer, a finance analyst, and a customer service rep face completely different security risks in their day-to-day work — and generic training that doesn't acknowledge those differences gets tuned out quickly.",[15,2553,2554,2555,2559,2560,2563],{},"Effective security culture programs meet people where they are. They connect security concepts to the specific tasks, tools, and risks each team encounters. They explain not just ",[2556,2557,2558],"em",{},"what"," the policy says, but ",[2556,2561,2562],{},"why"," it matters in the context of that person's actual job. When a finance employee understands why wire transfer verification procedures exist — because of the real attacks that target exactly their role — the procedure stops feeling like bureaucracy and starts feeling like protection.",[15,2565,2566],{},"Relevance drives retention. Generic awareness drives compliance theater.",[10,2568,2570],{"id":2569},"reward-the-right-behaviors","Reward the Right Behaviors",[15,2572,2573],{},"Most security programs are designed to catch and punish failures — the employee who clicked the phishing link, the team that bypassed the approval process, the contractor who shared credentials. Consequence is a necessary part of any security program, but it's a poor foundation for culture.",[15,2575,2576],{},"Organizations with strong security cultures also celebrate the behaviors they want to see more of. They recognize employees who report suspicious emails, who raise security concerns in project planning, who push back on shortcuts that introduce risk. They create safe channels for people to admit mistakes without fear of blame, because transparency about near-misses is infinitely more valuable than silence about them.",[15,2578,2579],{},"Psychological safety is a security control. When people are afraid to report problems, problems don't get reported — they get discovered later, when they're much more expensive.",[10,2581,2583],{"id":2582},"integrate-security-into-existing-workflows","Integrate Security Into Existing Workflows",[15,2585,2586],{},"Security culture erodes when security is experienced as friction — a separate process, an additional approval, a tool that slows things down. It strengthens when security is built into how work already gets done.",[15,2588,2589],{},"This means embedding security checkpoints into product development cycles, not bolting them on at the end. It means making secure defaults the easy defaults, so the path of least resistance is also the more secure path. It means involving security early in new business initiatives, not bringing them in after decisions are already made.",[15,2591,2592],{},"The goal isn't to make security invisible — it's to make it natural. When a developer automatically considers threat modeling as part of design, or when a procurement team reflexively asks about vendor security as part of due diligence, culture is working.",[10,2594,2596],{"id":2595},"measure-what-matters-and-be-honest-about-it","Measure What Matters — and Be Honest About It",[15,2598,2599],{},"Security culture is notoriously hard to measure, which leads many organizations to measure the wrong things — training completion rates, phishing simulation click rates, policy acknowledgment counts. These metrics are easy to collect and tell you almost nothing about actual cultural change.",[15,2601,2602],{},"More meaningful signals include: How quickly do employees report suspicious activity? Are security concerns being raised earlier in project lifecycles? Is the volume of policy exception requests going up or down — and why? Are teams coming to security proactively, or only when required?",[15,2604,2605],{},"These measures require more effort to collect, but they reflect something real. And being honest about what the data shows — including the parts that reveal cultural gaps — is what allows leaders to make targeted interventions rather than repeat the same awareness programs and hope for different results.",[10,2607,2609],{"id":2608},"build-for-the-long-game","Build for the Long Game",[15,2611,2612],{},"Security culture isn't built in a quarter. It's built over years of consistent messaging, visible leadership commitment, relevant education, and reinforcement of the right behaviors. It erodes just as slowly — through apathy, through leadership turnover, through programs that go stale, through a security team that becomes adversarial rather than collaborative.",[15,2614,2615],{},"The organizations with the strongest security cultures treat it as an ongoing investment, not a one-time initiative. They revisit and refresh their programs regularly. They measure progress honestly. And they understand that every interaction between the security team and the rest of the business is an opportunity to either build or undermine the culture they're trying to create.",[15,2617,2618],{},"Technology protects systems. Culture protects organizations.",[15,2620,2621],{},[33,2622,2623],{},"Ready to build a security culture that actually sticks?",[15,2625,2626,2627,2633],{},"At ",[189,2628,2632],{"href":2629,"rel":2630},"https:\u002F\u002Fepiski.com",[2631],"nofollow","Episki",", we help security leaders go beyond policies and awareness programs to build the organizational habits and leadership alignment that make security a shared value. If you're ready to make culture a core part of your security strategy, we'd love to talk.",[15,2635,2636],{},[189,2637,2640],{"href":2638,"rel":2639},"https:\u002F\u002Fepiski.com\u002Fcontact",[2631],"Let's talk →",[15,2642,2643],{},[2556,2644,2645],{},"Tools protect systems. Culture protects organizations.",{"title":195,"searchDepth":196,"depth":196,"links":2647},[2648,2649,2650,2651,2652,2653],{"id":2534,"depth":196,"text":2535},{"id":2547,"depth":196,"text":2548},{"id":2569,"depth":196,"text":2570},{"id":2582,"depth":196,"text":2583},{"id":2595,"depth":196,"text":2596},{"id":2608,"depth":196,"text":2609},"craft","2026-05-11","Security tools and policies only go so far. The organizations that are truly resilient are the ones where security is part of how everyone thinks — not just what the security team does.",{"src":2658},"\u002Fimages\u002Fblog\u002FTips.jpg",{},"\u002Fnow\u002Ftips",{"title":2511,"description":2656},"3.now\u002Ftips","LtzuWX4I6GxP-GCS8QRdhlQQW0iHXTak5_7evvpUeK8",1778494679759]