The Gap Assessment module provides a structured evaluation of your organisation's PCI-DSS compliance maturity across all 12 requirements. The assessment consists of 60 questions organised into 12 chapters (one per PCI-DSS requirement), with each response scored on a maturity scale.
Maturity Scoring
Each question is scored on a 0–4 scale:
| 0 — Non-existent | No controls, processes, or awareness exist for this requirement |
| 1 — Initial / Ad hoc | Some awareness exists but processes are informal, inconsistent, or undocumented |
| 2 — Developing | Processes are documented and partially implemented but not consistently followed or monitored |
| 3 — Defined / Managed | Controls are fully implemented, documented, consistently followed, and regularly reviewed |
| 4 — Optimised | Controls are continuously improved through metrics, automation, and lessons learned. Best practices are exceeded |
Running an Assessment
- Navigate to PCI-DSS → Gap Assessment
- Click New Assessment or resume an existing in-progress assessment
- Work through each of the 12 chapters, answering questions for each PCI-DSS requirement
- For each question, select a maturity score and add notes or evidence references
- Save progress at any time — assessments can be completed across multiple sessions
- When all questions are answered, mark the assessment as Completed
Assessment Chapters
| Chapter | PCI-DSS Requirement | Questions |
|---|---|---|
| 1 | Network Security Controls | 5 |
| 2 | Secure Configurations | 5 |
| 3 | Protect Stored Account Data | 5 |
| 4 | Protect Data in Transit | 5 |
| 5 | Anti-Malware | 5 |
| 6 | Secure Development | 5 |
| 7 | Access Control | 5 |
| 8 | User Authentication | 5 |
| 9 | Physical Security | 5 |
| 10 | Logging & Monitoring | 5 |
| 11 | Security Testing | 5 |
| 12 | Security Policies & Programs | 5 |
Interpreting Scores
After completing the assessment, the overall compliance score is calculated as a percentage of the maximum possible score (4 × 60 = 240):
- 85–100% — Strong compliance posture. Focus on continuous improvement and maintaining controls
- 70–84% — Good foundation with some gaps. Address medium-priority items to strengthen compliance
- 50–69% — Significant gaps exist. Prioritise remediation of critical and high-risk areas
- Below 50% — Major compliance gaps. Immediate action required across multiple requirements
Priority Gaps
Venvera automatically highlights the most critical gaps based on:
- Requirements scored 0 or 1 (non-existent or ad hoc controls)
- Requirements related to CDE protection (Requirements 1, 3, 4) — highest priority
- Testing and monitoring gaps (Requirements 10, 11) — frequently cited in QSA findings
- Access control deficiencies (Requirements 7, 8) — common breach vectors
Cross-Framework Propagation
PCI-DSS gap assessment results can inform assessments in your other enabled frameworks. Many PCI-DSS requirements overlap with:
- ISO 27001 — Annex A controls covering access control, cryptography, network security, and operations security
- NIST CSF — Identify, Protect, Detect, Respond, and Recover functions map extensively to PCI-DSS requirements
- SOC 2 — Trust Services Criteria for security, availability, and confidentiality overlap with PCI-DSS
- DORA — ICT risk management, incident reporting, and resilience testing requirements have PCI-DSS parallels