PCI Business Process and Segmentation Review

In addition to monetizing risk, this assessment facilitates PCI DSS compliance and future payment initiatives.

A PCI Business Process and Segmentation Review facilitates understanding the PCI environment and associated business processes. The goal is to identify high level, systemic PCI Compliance Program level issues. It outlines high level areas requiring remediation and potentially identify areas for scope reduction.


The PCI Business Process and Segmentation Review defines business processes in scope for PCI compliance and identifies program level issues that may prohibit compliance. Additionally, it can identify areas for potential scope reduction, reducing overall compliance activities and costs for maintenance.


SecureState consultants understand that the true cost of compliance is not achieving, but maintaining compliance. Compliance responsibilities many times fall on those that are overtaxed and have limited budgets and resources. SecureState’s consultants are experts in understanding both the technical and business aspects of your organization. They can help to operationalize and embed compliance requirements as a part of your daily routine. Additionally, As a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), our Staff Members have the knowledge and expertise required to assist your organization with PCI compliance thereby reducing the overall risk to your organization.

Approach and Methodology

A PCI Business Process and Segmentation Review is critical to understanding the environment. However, assessments do not mitigate risk; they only identify it. SecureState’s approach maps out critical business and data flows to determine where regulatory controls have an impact on your business. The assessment aims to properly identify cardholder data environment (CDE); identify high level program level issues; interpret the standard; ensure that remediation is cost-justified; and keep our clients up-to-date on PCI requirements, threats, and liabilities.

Based on SecureState’s experience, clients can find it difficult to maintain full compliance with PCI DSS requirements throughout the year; often failing due to a lack of consistent and repeatable process implementation or through a change required by the business. Additionally, the true cost of compliance is not an annual assessment, but the day to day implementation and maintenance associated with maintaining compliance. SecureState helps clients implement consistent and repeatable processes that facilitates integration into your standard operating procedures. This approach allows our clients to get the most value, and have the most options and flexibility, in meeting the goals of security and compliance.

Before coming onsite, SecureState will help you define your engagement goals, introduce all participants, defining their roles and responsibilities. SecureState will review the high level engagement activities with our clients, establishing timeframes for the assessment. SecureState will also set up the MyState collaborative portal, an online tool used for communicating results with our clients.

Once onsite, SecureState will document the high level PCI business process and supporting technologies (the ways card holder data (CHD) is introduced into the environment and where CHD is stored, processed, and/or transmitted.) We will map PCI processes to supporting technical infrastructure.

Based on analysis of the environment, data flows and interviews, SecureState will identify program level issues and potential areas for scope reduction and risk mitigation. Reports delivered to the client which will include the results of our onsite assessments as well as tactical and strategic recommendations, and help to define appropriate next steps. SecureState will also provide a high level remediation roadmap defining activities needed to be completed to move toward the Desired State of PCI compliance.


Get Started!