A PCI DSS gap assessment (sometimes called a PCI gap analysis) examines a company’s cardholder data environment (CDE) to determine compliance with the Payment Card Industry Data Security Standard (PCI DSS). A qualified security assessor (QSA) performs the assessment.
An information security framework, the PCI DSS aims to help merchants and service providers protect credit and debit card transactions from data breaches. However, PCI DSS isn’t a law or regulation but rather an industry mandate that applies to all organizations that store, process, and/or transmit cardholder data.
A PCI gap assessment helps companies spot any technology, process, and administrative gaps in their cybersecurity programs, particularly regarding their procedures and controls for handling customers’ card data. The PCI DSS gap analysis also helps organizations ensure that they are meeting their PCI compliance requirements.
The Gap Analysis
The gap analysis should focus on the 12 PCI DSS requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes (such as with penetration testing).
- Maintain a policy that addresses information security for all personnel.
A PCI Data Security Standard gap assessment sets the foundation for a PCI DSS compliance program. It helps a merchant or service provider determine its compliance status and improve security by spotlighting areas that need immediate attention.
A PCI gap assessment helps a company understand its PCI environment at the control level. It’s used to help a company understand how ready it is for its PCI audit or self-assessment questionnaire (SAQ) and to identify any inadequate controls that impact the organization’s PCI DSS compliance.
Steps in the PCI Gap Assessment
A company should begin its PCI gap assessment by determining its scope, i.e., decide what area(s) to focus on, where it needs to improve, along with collecting the necessary information to create a good remediation plan. Many organizations hire external quality security assessors (QSAs) to help with their PCI gap assessments.
After determining the scope of the PCI gap assessment, the company should accurately define its goals and describe the services, areas, and equipment that it plans to assess. It also makes sense to decide how long the gap analysis will take and communicate that information to team members.
Next, it’s time for the organization to identify the areas it needs to improve or change and then work out a plan to remediate those areas.
Finally, the company has to resolve or remediate the gaps it found during the PCI gap assessment.
If a company hires a QSA to conduct the PCI gap assessment, the QSA will write up a final report that contains a summary of their findings and information about the status of the company’s controls. The QSA will also recommend ways to remediate any issues.
Find PCI Gaps Automatically
A PCI DSS gap assessment or gap analysis can take a long time and much work to complete. A good governance, risk management, and compliance solution can make the job much easier, however.
ZenGRC’s unlimited self-audits help you find and stay on top of PCI compliance gaps. The prioritizing and workflow tracking features help you feel confident that, come audit time, you’ll attain that coveted Report on Compliance (RoC) with ease.
Worry-free PCI DSS compliance is the Zen way. Contact us now for a free consultation, and find out why many of the world’s leading companies rely on ZenGRC.