Frequently Asked Question

What is the meaning of “initial assessment” in PCI DSS?

An initial assessment is an entity’s first formal PCI DSS assessment that results in the submission of a compliance validation document. Examples of validation documents include an Attestation of Compliance (AOC), Self-Assessment Questionnaire (SAQ), and Report on Compliance (ROC).

If an entity has previously submitted a formal validation document, subsequent assessments cannot be considered an initial assessment. Examples of situations that do not change or reset an entity’s initial assessment date include where the entity misses a subsequent assessment date, changes assessor companies, reports to a different compliance entity, or changes or introduces new technologies to the environment.

Where an entity is being assessed to a PCI DSS requirement for the first time—for example, if the addition of a new payment acceptance channel results in an additional PCI DSS requirement(s) becoming applicable—the first assessment of the additional requirement(s) could be considered an initial assessment for that specific requirement(s).

Internal gap assessments and pre-production assessments that do not result in a formal compliance document are not considered initial assessments. For further guidance on PCI DSS compliance in pre-production environments, refer to FAQ 1333 Can PCI DSS compliance be determined by testing only pre-production environments using test data?

Entities should always consult with their acquiring bank or payment brand(s) to confirm how to report their compliance. Contact information for the payment brands is provided in FAQ 1142 How do I contact the payment card brands?

 
November 2020
Article Number: 1485