PCI DSS Gap Analysis
What is a Gap Analysis?
A PCI DSS Gap Analysis reviews an organization’s cardholder data environment (CDE) against the latest version of the Standard. In-scope systems and networks are reviewed and a detailed report compiled, showing areas that need attention.
It starts with a Qualified Security Assessor (QSA) mapping the critical information processes and technical infrastructure to determine where PCI controls have an impact on the business to:
- Outline the most cost-effective approach to meeting PCI obligations; and
- Assess readiness for an upcoming PCI audit and to identify deficient controls that could potentially cause an audit failure, with costly consequences for the organisation.
After the assessment, your QSA will prepare a full report that will provides an executive summary and detailed analysis of the status of controls and give high - level recommendations and options for remediation.
Why is a PCI DSS gap analysis so important?
Based on our experience, very few clients maintain full compliance with the PCI DSS v3.2 requirements. Findings from Verizon’s 2017 Payment Security Report support this view. After studying 11 years of forensic breach investigations, Verizon found that not a single company was PCI DSS compliant at the time of a breach. 89% of breached companies were never compliant, and 11% were PCI DSS compliant at one point, but not at the time of the breach.
As organizations evolve, business and customer demand require changes to technology and processes. These changes can affect an organization’s PCI DSS status. Although PCI DSS compliance is increasing, more than 40% of global organizations – large and small – are still not meeting PCI DSS compliance requirements. Of those that pass validation, nearly half fall out of compliance within a year.*
* Verizon 2017 Payment Security Report
Benefits of a PCI DSS gap analysis:
By identifying your gap, you can:
- Create a snapshot of PCI DSS compliance
- Identify areas requiring immediate attention, and cost-effective remediation, in prioritized terms
- Improve cost forecasting and budget justification for a PCI DSS compliance program
- Gain an awareness of your company’s ability to comply with any new release of the Standard, such as PCI DSS v3.2
Is a PCI DSS gap analysis right for you?
If you are responsible for implementing the PCI DSS in your organization, you should ask yourself:
- Do you need to establish the scope of the project?
- Are you undertaking a new program or reviewing your existing status?
- Has your organizations’ method of taking payments evolved in response to business and customer demand?
- Has technology or processes to store, process or transmit card data changed?
- Have similar organizations suffered a breach of cardholder data?
Our engagement process
The service typically involves several days on-site for our QSAs to meet with the managers who oversee the PCI DSS program; key staff involved in network administration and cardholder systems; and the individuals responsible for company procedures and policies.
- Scoping: A scoping exercise is performed by critically evaluating the CDE and the system components connected to it to determine the scope necessary for the PCI DSS requirements.
- Pre-assessment information gathering: During this step, we confirm that the correct scope has been identified for the people, processes and system components for PCI compliance.
- Assessment and analysis: A detailed assessment of the CDE is conducted, including: interviews with stakeholders, reviewing policy and procedure documentation and assessment of security controls.
- Post assessment and report: A plan to bridge the gap between your current security posture and full compliance with the Standard is provided, demonstrating the necessary corrective actions and enabling you to reduce the risk of a data breach.
Companies using our PCI DSS products and services
Get a tailored quote for our PCI DSS gap analysis service
A PCI gap analysis conducted by an IT Governance QSA will map critical information processes and technical infrastructure. By assessing your current state of compliance, we can outline the most cost-effective approach to meeting the PCI DSS obligations. For more information, please contact us.