Sometime over the last two days, the PCI Security Standards Council released their Prioritized Approach guideline for implementing PCI v1.2. Go download it and take a look.

This document is probably useful for a merchant who has never heard of PCI. It details the priority they believe merchants should assign to every PCI Requirement and places them in to one of six buckets. For those merchants and service providers that are currently working through their gaps, or are already compliant, this spreadsheet will probably not be useful.

The danger with this document is it makes sweeping assumptions that every organization is the same, and therefore should prioritize the same. The provided spreadsheet is locked, so if you want to customize it for your organization you must do a select all, copy, and paste into a new document.

Any tools that merchants or service providers use to assist in their remediation planning or execution must be customized to their organization. The tool has a nice framework, but you should not use it out of the box without modifying it to match your organization. It’s missing the testing procedures that QSAs use to identify gaps, which is probably something that your teams will want to see to ensure their actions will result in a successful passing assessment.

Something like this should come out of a compliance readiness assessment and mention specific gaps that are found in the environment, with corresponding remediation activities and teams responsible for completing the actions. Regardless, it is worth a look to see if it is something that you can use to assist in your remediation efforts.

VeriSign provides something similar to this. If you are interested in this sheet and want a copy, please shoot me an email and I’ll see if I can wrastle the documents out of Levinson & Springfield’s hands to send your way!

This post originally appeared on