The PCI DSS Prioritised Approach

The PCI DSS Prioritised Approach   A tool for merchants and acquirers

By Jason McWhirr, Information Security Consultant

What is the PCI DSS Prioritised Approach?

Merchants with more complex payment systems or payment processes that do not fit into the shortened SAQs (A, A-EP, B, B-IP, C & P2PE) are required to complete SAQ D or may require an on-site assessment (for merchants with larger amounts of transactions).


These questionnaires can take extended periods of time for a merchant to complete as company payment processes, IT systems and service providers may need substantial changes to be made to become PCI DSS compliant.


The PCI Council recognises this, and to help merchants working towards compliance they introduced the Prioritised Approach document.  This document provides a roadmap for merchants to help them prioritise their compliance efforts in the most critical risk areas of PCI DSS.


The main focus is on the protection of cardholder data, establishing security milestones, and lowering the risk of a cardholder data breach.


In addition to the Prioritised Approach document and to help merchants, the PCI SSC also created the Prioritised Approach Tool. This is a worksheet that merchants can use to easily document their progress. The Prioritised Approach document is updated each time the PCI DSS is revised, currently version 3.2. The latest document will always be found here.


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below


How does it help merchants?

Rather than using the 12 PCI DSS requirements, the Prioritised Approach document uses 6 security milestones to target the highest risks to the merchant’s cardholder data and systems. The matrix below summarises the high-level goals for each milestone;


Figure 1 – The six milestones of the Prioritised Approach


Figure 1 – The six milestones of the Prioritised Approach


The Prioritised Approach worksheet shows the milestones above numbered and colour coded, linked to the PCI DSS requirements that have the highest risk to cardholder data.


The worksheet is designed to assist an initial gap analysis for a merchant’s payment systems, with answers being either ‘YES’, Not Applicable, or ‘NO’, with additional fields for non-applicability, and for non-compliant answers with estimated dates for completion.


Information on requirements is kept minimal with the labels only giving a short description of the requirement – for more information always refer to the actual PCI DSS document for more detailed guidance.


Figure 2 – PCI DSS Prioritised Approach worksheet


Figure 2 – PCI DSS Prioritised Approach worksheet


The document creates a better understanding of how compliance is needed to protect cardholder data, creates manageable prioritised areas, and creates percentage scores to monitor compliance achievements for each milestone;


Figure 3 – PCI DSS Prioritised Approach Summary


Figure 3 – PCI DSS Prioritised Approach Summary


The Prioritised Approach document is an aid for merchants on their route to comply with the PCI DSS. It provides them with a measurable level of progress that they can use to demonstrate to their acquirer and within their organisation of the steps that they are taking towards meeting their PCI DSS compliance.  


On completion of the required steps, the merchant will then need to complete their relevant PCI compliance documentation to report their compliance with the standard.


How does it help an Acquirer?

A merchant may be working to compliance correctly but it can be difficult for them to show their progress – the Prioritised Approach demonstrates this very well. It also highlights the merchants risk in certain areas, and shows the estimated completed date of each milestone.


One of the main issues with compliance is that a merchant’s PCI compliance project sometimes doesn’t stay on track. Submitted Prioritised Approach worksheets will indicate if the merchant is making progress compared to their last submission, making it easier for acquirers to monitor their merchant’s compliance efforts.


Merchant Support

To help merchants understand PCI DSS and their compliance requirements, Sysnet’s merchant support services;


  • Describe PCI DSS, its requirements, and relevance to merchants & acquirers.
  • Describe how scoping payment channels can reduce the complexity of compliance.
  • Walk through the merchant’s payment processes to understand how cardholder data is stored, processed and transmitted by the merchant.
  • Help the merchant understand what is, and isn’t in scope for PCI DSS in each of their payment channels (Ecommerce, Face-to-Face and Mail Order/Telephone Order (MOTO)).
  • Help the merchant understand the PCI DSS implications for their current payment systems and processes.
  • Advise the merchant on possible ways to reduce the PCI DSS scope by making payment process changes or using technology to remove cardholder data from their systems.


Often, the outcome of a merchant engagement will be that the merchant understands what needs to be done to become compliant and is able to complete their journey to compliance themselves. Merchants who have relatively simple payment channels may be able to work through the easier, shortened PCI Self-Assessment Questionnaires (SAQs) (if applicable) directly before self-certification or on-site assessment.


Other merchants with more complex systems may need more time to work towards becoming compliant. Sysnet always recommend the use of the PCI Prioritised Approach document for this scenario.


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms