The PCI assessment is a once a year exercise meant to ensure that PCI Data Security Standard requirements are being met. A PCI program is more than a collection of processes running independently; it is meant to be one continuous process, composed of all the people, processes, and technology that intertwine to make effective controls. Creating a continuous process requires 1) engaging the right people, 2) understanding the timing requirements of the controls and the assessment, and 3) optimizing the PCI evidence responses with other workflows. Building a PCI program is an evolving process, and will scale to our quickly changing business processes and digital environments. Let me share some things I have found useful on my own path to a business as usual PCI Program.