Industry Mandates

IAM Maturity Assessment for PCI DSS

PCI DSS v4.0 applies to organizations that store, process, or transmit payment card data. Requirement 7 restricts access to cardholder data by business need to know, and Requirement 8 covers identification and strong authentication, including MFA for access to the cardholder data environment.

Maturity threshold
2.5 / 4.0
Mapped questions
11
IAM domains
5
Assessment scope
All scopes
Identity Expectations

What PCI DSS Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to PCI DSS citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Access restriction to cardholder data based on need to know, with documented approvals and reviews
  • Unique identification and strong authentication, including MFA for administrative and CDE access
  • Protection of administrative credentials, secrets, and recorded privileged sessions
  • Governance and lifecycle discipline over accounts that can reach payment systems
Question Mapping

AXIS Questions Mapped to PCI DSS

11 of the 37 questions in the AXIS bank carry PCI DSS citations, including 6 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to PCI DSS, with domain, capability, and framework references
QuestionDomainCapabilityPCI DSS references
IGA-01
Domino
IGALifecycle Management (Joiner / Mover / Leaver)PCI-DSS 8.1 (user identification)
IGA-03IGAAccess Reviews & RecertificationPCI-DSS 7.2
IGA-05IGAEntitlement Discovery and ClassificationPCI-DSS 7.1
IGA-06IGASegregation of Duties (SoD)PCI-DSS 6.4.2
PAM-01
Domino
PAMAdmin Credential ProtectionPCI DSS (credential protection)
PAM-02
Domino
PAMSecrets Management (Non-Human & Application Credentials)PCI-DSS 8.6 (authentication mechanisms)
PAM-05PAMSession Management and RecordingPCI-DSS 10.2
AUTH-01
Domino
Auth/SSOAdaptive MFAPCI-DSS 8.3 (strong authentication)
AUTH-04Auth/SSOPhishing-Resistant MFA & Session IntegrityPCI-DSS 8.4.2 (MFA for CDE access)
CLOUD-01
Domino
CloudMulti-Cloud Permission Management (CIEM)PCI cloud guidance
GOV-01
Domino
GovernanceIdentity Data OwnershipPCI-DSS 7.1 (access governance)
Scoring Model

How AXIS Scores PCI DSS Alignment

A threshold model: each mapped control either meets the PCI DSS maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 2.5 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For PCI DSS, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for PCI DSS in a given assessment reflects the answers selected. The table above lists every question whose answer options carry PCI DSS citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

PCI DSS appears in every assessment scope: workforce, customer identity (CIAM), and full.

It is shown when the assessed organization operates in: Financial Services, Retail. Other industries see only the frameworks relevant to them.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to PCI DSS 4.0. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how PCI DSS applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against PCI DSS

Run the AXIS assessment and get your maturity score, PCI DSS alignment, and a prioritized roadmap in one pass. No signup required to start.