800.903.6264

SecureState
Search
Home > Services > Audit and Compliance > PCI GAP Analysis

AUDIT & COMPLIANCE

PCI Gap Assessment

Essentials

A PCI Gap Assessment identifies areas where an organization does not comply with the Payment Card Industry Data Security Standard (PCI DSS), and outlines areas requiring remediation. The goal is to evaluate your company’s readiness to pass a PCI On-Site Assessment. To combat identity theft and to better secure credit card data, credit card associations created the Payment Card Industry (PCI) Data Security Standard (DSS). Organizations that “process, store or transmit” cardholder data must comply with such standards. Compliance obligations also include federal and state governments that have added their own compliance requirements, including the GLBA, FTC Act and state breach notification laws.

Benefits

  • Compliance with the PCI DSS
  • Identification of non-compliant areas and understanding of what actions are needed to comply with the PCI DSS
  • Proper 3rd party objective demonstration of PCI DSS compliance
  • Avoidance of damages often totaling millions of dollars that could result from a cardholder data compromise
  • Competitive edge through securing infrastructure
  • Safeguards against customers’ identity theft
  • A “Safe Harbor” claim requires the entity to be in full compliance with the PCI DSS prior to, and at the time of a breach
  • Reduction of the cost, confusion, and complexity of PCI DSS compliance

Expertise

SecureState’s Audit & Compliance consultants are experts in understanding both the technical aspects as well as the business aspects of your organization. As a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), our Staff Members have the knowledge and expertise required to assist your organization with PCI compliance.

Did You Know?

  • Performing a PCI Gap Assessment can reduce your company’s overall audit fees
  • True PCI compliance entails making the correct security decisions throughout the year
  • A PCI Gap Assessment will help you to understand rapidly evolving security compliance obligations
  • We develop an enterprise-wide strategy and plan for achieving compliance
  • Our Staff Members can assist you with implementing required operational changes
  • A gap assessment is recommend prior to your first PCI onsite assessment
  • Insufficient documentation and lack of appropriate monitoring processes are the most common findings
  • A remediation roadmap will provide you with detailed tasks and estimated timeframes for completing identified mitigation activities
  • A PCI Gap Assessment should be performed annually.
  • Common Misconception: Periodic vulnerability scanning and annual audits are all that is required to safeguard credit card data and achieve PCI compliance.
  • Reality: True PCI compliance entails making the correct security decisions throughout the year, and requires an organization to:
    • Understand rapidly evolving security compliance obligations
    • Develop an enterprise-wide strategy and plan for achieving compliance
    • Implement required operational changes
    • Raise employee’s awareness on the threats and compliance obligations
    • Maintain compliance throughout the year

RELATED:

Our Approach and Methodology

SecureState’s approach to a PCI Gap Assessment maps out critical information processes and determines if regulatory controls have an impact on the business. The goals are to:

  • Efficiently execute your PCI compliance program
  • Interpret the PCI DSS and get answers for you quickly
  • Remediation cost-justification
  • Keep you up-to-date on evolving PCI requirements, threats, and liabilities

The stages of our PCI Gap Assessment, with limited descriptions, are as follows:

Pre-Onsite Visit:

  • Introduce engagement participants and define roles
  • Review engagement activities
  • Review any applicable documentation

Process Mapping:

  • Document the high level PCI business process and supporting technologies
  • Perform data flow analysis and map PCI processes to technical infrastructure

Requirements Analysis:

  • Document the existing controls used to protect cardholder data
  • Identify gaps against the PCI DSS 2.0 requirements (e.g., External Scans, External Penetration Tests, and Internal Scans, etc.)

Reporting:

  • On-site interview and information gathering to assess PCI compliance status
  • Outline strategic recommendations to mitigate identified control gaps
  • Upload remediation activities to “MyState Portal”

What Makes Us Different

SecureState

  • Provides comprehensive on-demand security expertise during the engagement and throughout the year
  • Supports its clients’ PCI programs with our proprietary “MyState Portal” and a team of qualified PCI specialists
  • Maintains close relationships with our clients because we care about the outcome of the assessment
  • Provides consistent control requirement interpretations. Any ambiguous requirements are reviewed, researched, and agreed upon by all SecureState QSAs to ensure opinions do not differ from year to year or among the QSAs
  • Provide continual compliance services throughout the year to ensure that periodic tasks are being performed, as well as analyze how changes in your environment can affect compliance, and notify you of any new changes to or additional guidance related to the PCI DSS
  • Provides PCI training at ISACA events, leading conferences, and independent seminars.
  • Truly understand the intent of each requirement to recommend appropriate mitigation activities or compensating controls

Downloads

We Can Help You

Copyright © 2012 SecureState LLC. All rights reserved.
23340 Miles Road Cleveland, Ohio 44128-5493 | 800.903.6264

SecureState Data Security