Skip to main content

METHODOLOGY

Why Confidence Grades Matter

Not all findings are created equal. PCI grades every finding by the quality of evidence behind it. Acting on bad data is worse than not acting at all.

THE FOUR GRADES

Evidence Tiers

A

Multi-Source Verified

Three or more independent data sources confirm the finding. Highest confidence.

Example

Revenue variance confirmed by payment processor, registration platform, and bank reconciliation. All three agree within 2%.

Impact on PCI

Full weight in PCI score. Recommended for immediate action. Build Card issued with highest priority.

B

Dual-Source Verified

Two independent sources corroborate. High confidence with minor gaps.

Example

Discount pattern identified in CRM data and confirmed by invoice analysis. Third-party audit not available but not required.

Impact on PCI

Near-full weight. Build Card issued. Minor verification step may be added before implementation.

C

Single Source + Context

One reliable source supported by contextual signals. Moderate confidence.

Example

Vendor cost increase identified in AP data. Industry benchmarks suggest overpayment, but no competitive bid data available.

Impact on PCI

Partial weight in score. Build Card issued with "verify" flag. ROI range widened to reflect uncertainty.

D

Self-Reported Only

Operator-supplied data without external verification. Lowest confidence.

Example

Operator estimates 20% of staff time is spent on manual reporting. No time-tracking data or workflow logs to verify.

Impact on PCI

Minimal weight. Noted in findings but not scored. Recommendation: instrument before acting.

WHY IT MATTERS

Grades Change Everything

It changes the score

A $500K leak confirmed at Grade A moves the PCI score differently than the same leak at Grade D. Confidence affects weight.

It changes the recommendation

Grade A findings get immediate Build Cards. Grade D findings get instrumentation recommendations first. Measure before you fix.

It protects the operator

Acting on low-confidence data wastes resources. Grading prevents "fix everything" recommendations that don't account for evidence quality.

It creates accountability

Every finding in a PCI report shows its grade. Stakeholders can see exactly how much confidence backs each number.

See how your evidence grades stack up.

Every PCI finding includes a confidence grade.