Complying with Standards drawn by the Payment Card Industry Security Standards Council can be complicated and time-consuming. But, with a PCI DSS Gap Analysis, the process becomes a lot easier, streamlined, and less exhaustive. PCI Gap Analysis is the first step towards the Compliance process. The assessment provides details on your current security posture against what is expected and needs to be achieved by the organization. Most organizations are not sure of how a PCI DSS Gap Analysis process works, so in this article, we look at the steps involved in PCI Gap Analysis that you need to know. But, let us first understand the concept of Gap Analysis.
What is Gap Analysis?
A PCI DSS Gap Analysis is usually the first step performed in the PCI Compliance process. This is an assessment that helps merchants understand their Compliance status and prepares them for the on-site PCI assessments to achieve Compliance. PCI Gap Analysis is performed by an assessor who maps the critical information processes and technical infrastructure to determine the PCI controls that are required to be implemented.
Purpose of Gap Analysis:
- Identify deficient controls that could potentially cause an audit failure.
- Determine effective ways to implement necessary controls to meet PCI obligations.
- Assess the readiness for the upcoming PCI audit.
- Prevent consequences of audit failure for organizations.
Benefits of a PCI DSS gap analysis:
Gap Analysis is an essential part of the PCI Compliance process. Here is how the assessment helps merchants ease their efforts of Compliance.
- Determines the scope for PCI DSS Compliance.
- Determines the security posture of your PCI environment.
- Identifies areas that require immediate attention and prioritizes them accordingly.
- Eases the process of a PCI DSS Compliance Program.
- Draws out your organization's ability to comply with evolving standards.
After the assessment, the assessor provides a full report that outlines the analysis and details the status of controls and further provides a high-level recommendation for remediation.
Difference between PCI Gap Analysis & PCI QSA Audit Assessment
While the process is similar, PCI QSA Assessment is more detailed and rigorous in comparison to the initial Gap Assessment. Gap Analysis is an initial step in the process of PCI DSS Compliance. Below are some key differences between the two:
- Time required – PCI Gap Analysis is a shorter process of assessment which typically takes one week in comparison to PCI QSA Audit Assessment, which takes nearly three or more weeks.
- Cost involved – QSA Audit Assessments are more expensive than an assessor conducting Gap Analysis.
- Travel – PCI Gap Analysis may also be completed remotely, as it is interview-driven, whereas a PCI QSA is an on-site assessment that requires the auditor to be onsite for up till the assessment.
PCI Gap Analysis
A PCI Gap Analysis involves identifying and documenting the areas of non-compliance with the Payment Card Industry Data Security Standard (PCI DSS). During a PCI Gap Analysis, the merchants will get an assessor to initiate the assessment process. Given below are the steps of a PCI Gap Analysis:
- Scope – An experienced and qualified assessor works with the merchants to gain an understanding of their cardholder data environment. This is done by first initiating an interview-based discussion with your team to understand the scope and current level of adherence to PCI DSS Standards. This will also involve discussing strategies to help merchants reduce the scope and educating them on the security requirements necessary to comply with PCI DSS.
- Inventory – The assessor inventories all the systems in scope including business processes, facilities, network devices, and applications in the PCI environment. This further helps in the allocation of resources to secure them. The inventory of systems in scope is done by prioritizing based on the risk levels. Accordingly, resources are allotted and controls are implemented where necessary.
- Security Control Evaluation – The security controls of the PCI environment are evaluated against the 12 PCI DSS requirements mentioned below to determine Compliance status.
| Goals | PCI DSS Requirements |
| Build & Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. |
| Protect Cardholder Data | 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. |
| Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications. |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for employees and contractors. |
- Reporting – After the PCI Gap Analysis ,the assessor provides a complete report detailing gaps in Compliance and prioritizing steps to remediation. The high-level recommendations for remediation are discussed with the understanding that merchants will work on and implement them prior to the PCI Audit.
Final Thought
PCI DSS Gap Analysis is an initial process that makes your compliance journey easy. Organizations looking to achieve PCI Compliance must first perform a gap analysis before initiating their journey of Compliance. This provides direction to the right path and helps them streamline the process and make Compliance more achievable. It is a process that will take your organization closer to securing your PCI environment and achieving Compliance.
About the Author: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB, to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
