Frequently Asked Questions

< Back to search page

How does the Prioritized Approach work?

FAQ Response

The Prioritized Approach tool is intended to help guide non-compliant entities to work through the process of becoming PCI DSS compliant. The Prioritized Approach does not supersede or replace the PCI DSS; rather, it can help to identify the quickest path a non-compliant entity can take to reduce risk to cardholder data.   

The Prioritized Approach focuses on six security milestones to incrementally protect against the highest risk factors and escalating threats. The milestones are structured around six core best practices, as follows:
  • Milestone One: If you don’t need it, don’t store it.
  • Milestone Two: Secure the perimeter.
  • Milestone Three: Secure applications.
  • Milestone Four: Control access to your systems.
  • Milestone Five: Protect stored cardholder data
  • Milestone Six: Finalize your compliance efforts, and ensure all controls are in place.
As the PCI SSC does not enforce compliance, please check with your acquirer or the appropriate payment card brand to identify how the Prioritized Approach can be used in reporting compliance. 

March 2009
Article Number 1170