PCI DSS V3 - Compliance Dashboard

File uploaded by dgodart on Aug 30, 2011Last modified by dgodart on Oct 17, 2014
Version 26Show Document

Please feel free to use this “compliance dashboard” spreadsheet to sustain your PCI compliance journey. It encompasses:



  • Integrate new Priority Approach V3
  • Corrections of glitches, priority levels, discard the NA requirements in the imputation of total number of requirements associated to a priority (NEW)
  • Guidance text aligned on V3 (NEW)
  • Glossary aligned on V3 (NEW)
  • Link to PCI Boutique (Templates ready to use and easily adaptable for PCI policies, procedures, forms and logbooks) (NEW)
  • New Merchant types (AE and PE2P)
  • Associated requirements SAQ-AE (NEW)
  • Associated requirements SAQ PE2P (NEW)
  • Priority Compliance Board (NEW) - P1 to P6 progress rating
  • Priority Compliance Chart (NEW) - P1 to P6 Progress chart
  • List of NA requirements + rationals (NEW)
  • Selected Merchants Type displayed on requirement sheets (NEW)
  • Integrated Testing procedures Roc V3
  • Alignment SAQ's V3
  • Integrated new merchant types B-IP and Service Providers
  • Major observation Verizon PCI Compliance Report 2014
  • New Severity rating
  • New possible answers (Not tested and Not applicable) (NEW)
  • Update Executive Summary (calculation, % compliance, Severity, max severity,...) (NEW)
  • Update Compliance Charts (NEW)
  • Easy navigation through each sections (Go to previous, go to next,...) (NEW)
  • A table of content and navigation links
  • "Scope" sheet allowing you to define the Card Data Environment (CDE)
  • An Executive summary showing your progress on your PCI compliance journey based on the selected merchant type
  • Possibility to hide/unhide non applicable requirements associated to the selected Merchant Type.
  • Graphs (Compliance % and Severity Level per requirements
  • Documentation sheet - Required/optional technical/ non-technical documentation and associated PCI DSS requirements + documentation inventory
  • All PCI DSS requirements grouped by section
  • Guidance associated to each requirements
  • The PCI Glossary
  • The participants list (NEW Renamed to "PCI Team")
  • The list of merchant types
  • The compensating controls documentation sheet
  • The Validation Instructions for QSA/ISA for each requirement
  • Indication of "relevance" by merchant types (A, B, C, C-VT, D). "1" indicates that the requirement is relevant.
  • Priority level or milestones from the “prioritized approach” (1-6)
  • A column "In Place" (Yes/No/Compensating control Present)
  • A column severity equals to the PCIco priority level for not in place requirements
  • A column "Stage of implementation (if not in place)"
  • A column "Estimated date for completion"
  • A column "Proofs/Documentation/Comment"
  • A column "Remediation plan" (what must be done)
  • A Column "Owner" (The individualor department in charge)
  • A Column "SANS Top 20 Critical Security Controls" matching subcontrols for each PCI requirement wherever possible.
  • A Sheet " SANS-PCI" Listing all SANS Top 20 Critical Security Controls and Sub-controls together with  PCI requirements partially or fully matching the sub-controls. Also % of match for each SANS Controls.
  • Links to the PCI 30 seconds newsletters (UPDATED)
  • Update Scope sheet with Criticality, Patch level, Scan date and Scan report location
  • Add a sheet "PCI Crypto Key list" to list all keys used within the scope: KeyId, Purpose, Key custodians, status.
  • Add sheet Vulnerability scans (When, By who, results)
  • Add sheet Penetration Tests (When, By who, results)
  • Add sheet training & knowledge evidences


Related Newsletter: PCI 30 seconds newsletter - Mind the Gap


The new version of the attached file


We will continue to update this document as needed, so bookmark it and check back to see what's new when you need to use it.