IAM Maturity Assessment for PCI DSS
PCI DSS v4.0 applies to organizations that store, process, or transmit payment card data. Requirement 7 restricts access to cardholder data by business need to know, and Requirement 8 covers identification and strong authentication, including MFA for access to the cardholder data environment.
- Maturity threshold
- 2.5 / 4.0
- Mapped questions
- 11
- IAM domains
- 5
- Assessment scope
- All scopes
What PCI DSS Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to PCI DSS citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Access restriction to cardholder data based on need to know, with documented approvals and reviews
- Unique identification and strong authentication, including MFA for administrative and CDE access
- Protection of administrative credentials, secrets, and recorded privileged sessions
- Governance and lifecycle discipline over accounts that can reach payment systems
AXIS Questions Mapped to PCI DSS
11 of the 37 questions in the AXIS bank carry PCI DSS citations, including 6 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | PCI DSS references |
|---|---|---|---|
| IGA-01 Domino | IGA | Lifecycle Management (Joiner / Mover / Leaver) | PCI-DSS 8.1 (user identification) |
| IGA-03 | IGA | Access Reviews & Recertification | PCI-DSS 7.2 |
| IGA-05 | IGA | Entitlement Discovery and Classification | PCI-DSS 7.1 |
| IGA-06 | IGA | Segregation of Duties (SoD) | PCI-DSS 6.4.2 |
| PAM-01 Domino | PAM | Admin Credential Protection | PCI DSS (credential protection) |
| PAM-02 Domino | PAM | Secrets Management (Non-Human & Application Credentials) | PCI-DSS 8.6 (authentication mechanisms) |
| PAM-05 | PAM | Session Management and Recording | PCI-DSS 10.2 |
| AUTH-01 Domino | Auth/SSO | Adaptive MFA | PCI-DSS 8.3 (strong authentication) |
| AUTH-04 | Auth/SSO | Phishing-Resistant MFA & Session Integrity | PCI-DSS 8.4.2 (MFA for CDE access) |
| CLOUD-01 Domino | Cloud | Multi-Cloud Permission Management (CIEM) | PCI cloud guidance |
| GOV-01 Domino | Governance | Identity Data Ownership | PCI-DSS 7.1 (access governance) |
How AXIS Scores PCI DSS Alignment
A threshold model: each mapped control either meets the PCI DSS maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 2.5 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For PCI DSS, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for PCI DSS in a given assessment reflects the answers selected. The table above lists every question whose answer options carry PCI DSS citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
PCI DSS appears in every assessment scope: workforce, customer identity (CIAM), and full.
It is shown when the assessed organization operates in: Financial Services, Retail. Other industries see only the frameworks relevant to them.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to PCI DSS 4.0. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how PCI DSS applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against PCI DSS
Run the AXIS assessment and get your maturity score, PCI DSS alignment, and a prioritized roadmap in one pass. No signup required to start.