Skip to main content

Create a PCI Assessment

Overview​

An assessment is the unit of work you evaluate against a PCI standard. Creating one is a two-step decision: which framework you are assessing against, and how much of it (the scope). Both choices shape the control catalogue you will answer.

From Compliance β†’ PCI β†’ Assessments, click New assessment, then give the assessment a title (for example PCI DSS Q1 2026).

New assessment dialog

Step 1 β€” Choose the framework​

The Framework selector lists every supported PCI standard. Pick the one that matches what you are being assessed for; the dialog then shows the scope options that apply to it.

Framework selector

FrameworkChoose it when…
PCI DSS v4.0.1You store, process, or transmit cardholder data and need a DSS validation.
PCI PIN v3.1You are an acquirer, processor, or HSM/ATM operator handling PIN data.
SSF β€” Secure Software v2.0You are validating a payment software product.
SSF β€” Secure SLC v1.1You are validating your software development lifecycle.

Step 2 β€” Choose the scope​

PCI DSS​

PCI DSS offers two paths:

  • ROC β€” Full scope β€” evaluates all 245 controls. Use it for a complete Report on Compliance, when scope is not yet defined, or when you are unsure which SAQ applies.

  • SAQ β€” Focused questionnaire β€” a reduced control set tailored to a specific business type. When you pick SAQ, select which SAQ applies:

    SAQApplies to
    ACard-not-present e-commerce, fully outsourced to a validated TPSP.
    A-EPE-commerce whose site can affect payment-data security (JS posting to a TPSP).
    BImprint machines or standalone dial-out terminals, no electronic CHD storage.
    B-IPStandalone IP-connected POI devices approved as PTS POI.
    CInternet-connected payment-application systems, no e-commerce.
    C-VTWeb-based virtual terminal on a single isolated computer.
    D (Merchant)Merchants who do not qualify for any other SAQ β€” full DSS scope.
    D (Service Provider)Service providers eligible for SAQ (no ROC required).
    P2PEHardware terminals in a PCI-listed P2PE solution.
    SPoCPCI-listed SPoC β€” software-based PIN entry on COTS devices.

PCI PIN​

Choose how the assessment is performed:

  • Self-Assessment β€” internal self-attestation AOC.
  • QPA-assessed β€” a formal assessment by a Qualified PIN Assessor.

PCI SSF (Secure Software / Secure SLC)​

Each SSF standard is assessed against its full control set β€” there are no reduced scopes to choose. Select the framework and continue.

Not sure which SAQ? Use the wizard​

For PCI DSS, if you are unsure which SAQ fits your operation, choose SAQ and click β€œNot sure which SAQ β€” help me choose.” The wizard asks about your company profile, how customers pay, who processes card data at checkout, and your equipment, then recommends the applicable SAQ and fills it in for you.

SAQ wizard

When the form is complete, click Create to open the assessment and start answering controls.

tip

Not certain about your scope yet? Start with PCI DSS β†’ ROC β€” Full scope. You see the complete control set and can narrow down on a later assessment.

Contribute to the Docs

Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.

How to contribute

Resources

By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.

Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.

Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.