What is a gap analysis?
A PCI DSS gap analysis is usually the first step clients take to understand their compliance status. It provides a detailed comparison of what their business is currently doing against what it should be doing to be compliant with the PCI DSS.
It starts with a Qualified Security Assessor (QSA) mapping the critical information processes and technical infrastructure to determine where PCI controls have an impact on the business to:
- Outline the most cost-effective approach to meeting PCI obligations; and
- Assess readiness for an upcoming PCI audit and to identify deficient controls that could potentially cause an audit failure, with costly consequences for the organisation.
After the assessment, your QSA will prepare a full report that will provides an executive summary and detailed analysis of the status of controls and give high - level recommendations and options for remediation.
Did you know?
Organisations are required not only to achieve 100% compliance with the PCI DSS, but also to maintain it. This means having all applicable security controls continuously in place. However, the Verizon 2018 Payment Security Report identifies that:
- Only 52.5% of organisations achieved full compliance at interim PCI DSS validation in 2017.
- Less than one in five organizations (18%) measure their DSS controls across their entire environment more frequently than the DSS requires.
Complacency leads to breaches, virtually all breached organisations were not compliant with the standard.
Benefits of a PCI DSS gap analysis:
By identifying your gap, you can:
- Create a snapshot of PCI DSS compliance;
- Identify areas requiring immediate attention, and cost-effective remediation, in prioritised terms;
- Improve cost forecasting and budget justification for a PCI DSS compliance programme; and
- Gain an awareness of your company’s ability to comply with any new release of the Standard, such as PCI DSS v3.2.
Is a PCI DSS gap analysis right for you?
If you are responsible for implementing the PCI DSS in your organisation, you should ask yourself:
- Do you need to establish the scope of the project?
- Are you undertaking a new programme or reviewing your existing status?
- Has your organisations’ method of taking payments evolved in response to business and customer demand?
- Has technology or processes to store, process or transmit card data changed?
- Have similar organisations suffered a breach of cardholder data?
Our engagement process
The service typically involves several days on-site for our QSAs to meet with the managers who oversee the PCI DSS programme; key staff involved in network administration and cardholder systems; and the individuals responsible for company procedures and policies.
- Scoping: A scoping exercise is performed by critically evaluating the CDE and the system components connected to it to determine the scope necessary for the PCI DSS requirements.
- Pre-assessment information gathering: During this step, we confirm that the correct scope has been identified for the people, processes and system components for PCI compliance.
- Assessment and analysis: A detailed assessment of the CDE is conducted, including: interviews with stakeholders, reviewing policy and procedure documentation and assessment of security controls.
- Post assessment and report: A plan to bridge the gap between your current security posture and full compliance with the Standard is provided, demonstrating the necessary corrective actions and enabling you to reduce the risk of a data breach.
Find out more about our PCI DSS Gap Analysis >>
"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.”
Damien Everard, COO of Appletree.