PCI Compliance Overview
Overview
The Compliance area lets you assess your environment against the PCI family of standards without leaving the Conviso Platform. You create an assessment, answer each control, attach the supporting evidence, and the platform consolidates the results into dashboards that show exactly where your gaps are — so the same record becomes the basis for your remediation plan.
It is built for the people accountable for payment-security compliance: PCI managers, AppSec teams preparing for an assessment, and service providers who need a defensible, point-in-time record of their posture.
You will find it under Compliance → PCI in the left navigation.
Supported frameworks
Compliance is not limited to PCI DSS. When you create an assessment you choose which PCI standard to evaluate against, and the platform loads the matching control catalogue:
| Framework | Version | Who it is for |
|---|---|---|
| PCI DSS — Data Security Standard | v4.0.1 | Merchants, service providers, and any entity that stores, processes or transmits cardholder data (CHD/SAD). |
| PCI PIN — PIN Security Requirements | v3.1 | Acquirers, processors, KIFs, and HSM/ATM operators — covers PIN processing, transmission, and key management. |
| PCI SSF — Secure Software Standard | v2.0 | Payment software products — how a product protects sensitive data, authenticates, and responds to attacks. |
| PCI SSF — Secure SLC Standard | v1.1 | The software development lifecycle — how an organisation builds payment software securely. |
Each framework drives its own scope options and control set, but the workflow — answer, evidence, analyse, finalize — is identical across all of them.
Key concepts
| Term | Meaning |
|---|---|
| Assessment | One run against a chosen framework and scope. |
| Control | An individual requirement item you answer (e.g. PCI DSS 3.2.1). |
| Requirement | A top-level grouping of controls (PCI DSS requirements 1–12). |
| Gap | A control marked Not in place — the work remediation must close. |
| Scope | How much of the framework you assess (e.g. full ROC vs a focused SAQ). |
The PCI dashboard
The landing dashboard summarises your program at a glance:
- Last assessment — compliance percentage and scope of the most recent assessment.
- In progress — assessments still in draft or in progress.
- History — number of completed assessments.
- Trend — change in compliance versus the previous assessment, in percentage points.
Use View to open the assessments list, where each card shows its scope, framework version, control progress, last edit, and current compliance percentage.
The workflow at a glance
- Create an assessment and choose its framework and scope.
- Answer the controls and attach evidence as you go.
- Review the Gap Analysis dashboards to see and prioritise open gaps.
- Link projects to drive remediation.
- Finalize to lock the assessment as a point-in-time record.
If you own PCI in your organisation, the PCI Manager role-based guide walks through the same workflow from a manager's perspective.
Contribute to the Docs
Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.
How to contributeResources
By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.
Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.
Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.