A PCI DSS Gap Analysis reviews an organization’s cardholder data environment (CDE) against the latest version of the Payment Card Industry Data Security Standard (PCI DSS). In-scope systems and networks are reviewed and a detailed report is compiled, showing areas that need attention.
A PCI compliance gap analysis starts with a Qualified Security Assessor (QSA) mapping the critical information processes and technical infrastructure to determine where PCI controls have an impact on the business to:
- Outline the most cost-effective approach to meeting PCI obligations
- Assess readiness for an upcoming PCI audit and identify deficient controls that could potentially cause an audit failure, with costly consequences for the organization
After the assessment, your QSA will prepare a full report that will provide an executive summary and detailed analysis of the status of controls and give high-level recommendations and options for remediation.
Benefits of a PCI DSS gap analysis
By identifying your gaps, you can:
- Create a snapshot of PCI DSS compliance
- Identify areas requiring immediate attention and cost-effective remediation in prioritized terms
- Improve cost forecasting and budget justification for a PCI DSS compliance program
- Gain an awareness of your company’s ability to comply with any new release of the Standard, such as PCI DSS v3.2
Is a PCI DSS gap analysis right for you?
If you are responsible for implementing the PCI DSS in your organization, you should ask yourself:
- Do you need to establish the scope of the project?
- Are you undertaking a new program or reviewing your existing status?
- Has your organizations’ method of taking payments evolved in response to business and customer demand?
- Has technology or processes to store, process, or transmit card data changed?
- Have similar organizations suffered a breach of cardholder data?