Back

PCI DSS Prioritised Approach

QSA-led project to bring your organisation into full compliance with the PCI DSS, whilst remaining sympathetic to your wider business needs.

Begin a Prioritised Approach

Building your PCI DSS compliance, one step at a time

Unlike many approaches to compliance, the Prioritised Approach has six clear milestones that are designed to provide your business with a clear roadmap to compliance, whilst addressing high-risk issues first.

These milestones help you to incrementally strengthen technical and procedural controls, and to achieve compliance within a defined project plan. Importantly, the Prioritised Approach is sponsored and authorised by the PCI Security Standards Council, and the card brands themselves.

Your dedicated PCI DSS QSA will hand-hold the Prioritised Approach project team through each milestone, acting as both a trusted advisor and as ‘checks and balances’ for your compliance efforts. By working closely with your project team, our assessor will help you to understand the letter and intent of each PCI requirement and control objective.

At the start of the project, our assessor works with your acquirers to properly scope and agree the Prioritised Approach, and we’ll provide a Letter of Intent that details the plan for compliancy, and confirming the appointment of a PCI Qualified Security Assessor Company.

After this, we’ll be in frequent contact to ensure that you achieve compliance with each milestone in-line with the project plan. Our typical engagements include:

  • Weekly call with your project team,
  • Monthly on-site visit (or a remote session),
  • Project tasks including document review, technical solution evaluation, and other services.

At the end of the Prioritised Approach period, our PCI DSS QSA will conduct a formal Report on Compliance assessment (or an assisted Self Assessment Questionnaire, if your acquirer agrees).

Our QSA team has led Prioritised Approach projects for retail brands, payment service providers, and FTSE 100 and 250 companies (including commercial and domestic energy), so we’re well-placed to help you.


Data Security People is trusted by:


Key benefits

Improve your security over time, with a structured project methodology approved by the payment card schemes.

Pragmatic advice

Our work is defensible and evidence-based, but we’re pragmatic. We get business, and we’re not box-tickers.

Capability building

Improve your PCI DSS compliance over time and ensure that obligations with your clients, partners, and regulators are met.

Relationship driven

Our customers are the life-blood of our practice. We value your business, and strive to build a long-term relationship.


Passionate work from passionate people

Our work and expertise with the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) was developed to enhance cardholder data security measures across the world. The PCI DSS provides a baseline for your technical and operational controls designed to protect your customer’s payment data.

The PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. The PCI DSS also applies to all other entities that store, process or transmit cardholder data.

To guide our clients through the extensive requirements of the PCI DSS, we maintain a dedicated team of PCI DSS Qualified Security Assessors (QSA). Our QSA team is engaged by retail brands, payment service providers, and FTSE 100 companies (including commercial and domestic energy), to provide experienced Qualified Security Assessors that understand complex technical environments in fast-paced industries.

Our team has vast operational experience with modern technologies, including containerised and virtualised environments, and is used to providing security advice to everybody from first line support, through to the C-Suite.

Alongside our delivery work, we frequently publish security articles, white papers, and case studies, as well as evidence for research and government.

Crucially, we believe that rationalised information assurance policies – driven by evidence and data, rather than hyperbole and fear – are the best way to improve our clients’ security capabilities.

Read more about our work


Continuous assurance is the future of PCI DSS governance.

It allows you to make evidence-based decisions and investments, instead of the box ticking of years gone by.

Find out more