What is a gap analysis?
A PCI DSS Gap Analysis reviews an organization’s cardholder data environment (CDE) against the latest version of the Standard. In-scope systems and networks are reviewed and a detailed report compiled, showing areas that need attention.
It starts with a Qualified Security Assessor (QSA) mapping the critical information processes and technical infrastructure to determine where PCI controls have an impact on the business to:
- Outline the most cost-effective approach to meeting PCI obligations
- Assess readiness for an upcoming PCI audit and to identify deficient controls that could potentially cause an audit failure, with costly consequences for the organization
After the assessment, your QSA will prepare a full report that will provides an executive summary and detailed analysis of the status of controls and give high - level recommendations and options for remediation.
Did you know?
Organizations are required not only to achieve 100% compliance with the PCI DSS, but also to maintain it.
This means having all applicable security controls continuously in place. However, the Verizon 2018 Payment Security Report identifies that:
- Only 52.5% of organizations achieved full compliance at interim PCI DSS validation in 2017
- Less than one in five organizations (18%) measure their DSS controls across their entire environment more frequently than the DSS requires.
Complacency leads to breaches, virtually all breached organizations were not compliant with the standard.
Benefits of a PCI DSS gap analysis
By identifying your gaps, you can:
- Create a snapshot of PCI DSS compliance
- Identify areas requiring immediate attention, and cost-effective remediation, in prioritized terms
- Improve cost forecasting and budget justification for a PCI DSS compliance program
- Gain an awareness of your company’s ability to comply with any new release of the Standard, such as PCI DSS v3.2
Is a PCI DSS gap analysis right for you?
If you are responsible for implementing the PCI DSS in your organization, you should ask yourself:
- Do you need to establish the scope of the project?
- Are you undertaking a new program or reviewing your existing status?
- Has your organizations’ method of taking payments evolved in response to business and customer demand?
- Has technology or processes to store, process, or transmit card data changed?
- Have similar organizations suffered a breach of cardholder data?
Our engagement process
The service typically involves several days on-site for our QSAs to meet with the managers who oversee the PCI DSS program; key staff involved in network administration and cardholder systems; and the individuals responsible for company procedures and policies.
- Scoping: A scoping exercise is performed by critically evaluating the CDE and the system components connected to it to determine the scope necessary for the PCI DSS requirements.
- Pre-assessment information gathering: During this step, we confirm that the correct scope has been identified for the people, processes, and system components for PCI compliance.
- Assessment and analysis: A detailed assessment of the CDE is conducted, including: interviews with stakeholders, reviewing policy and procedure documentation and assessment of security controls.
- Post assessment and report: A plan to bridge the gap between your current security posture and full compliance with the Standard is provided, demonstrating the necessary corrective actions and enabling you to reduce the risk of a data breach.
Find out more about our PCI DSS Gap Analysis >>
How IT Governance can help you
Our services provide a tailored route to PCI compliance, scalable to your budget and need.
We go further than a simple ‘yes/ no’ approach to understand better how security measures work.
We work in partnership to help you understand what is required and why giving you control.
We can offer expertise to vet compensating controls and determine whether they are acceptable.
Companies using our PCI DSS products and services:
"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.”
Damien Everard, COO of Appletree.