PCI Gap Assessment

The PCI Gap Assessment utilizes a proven methodology to determine areas of risk, and then ensure compliance through a well thought out, repeatable process.

PCI Gap Assessment is critical to understanding how secure credit card data is in the current environment. Compliance with the PCI Data Security Standard (DSS) is mandatory for any organization that handles credit card data. The goal of a PCI Gap Assessment is to gain a control-based level understanding of the PCI environment. This process is used to assess readiness for an upcoming PCI Report on Compliance (RoC) assessment and to identify deficient controls that could potentially cause PCI RoC failures.


A PCI Gap Assessment helps you to determine your readiness for an onsite RoC assessment. The process will help you understand key areas of weakness and noncompliance. Additionally, a PCI Gap Assessment helps you understand rapidly evolving security compliance obligations and develop an enterprise-wide strategy and plan for achieving compliance.

A well designed program allows an organization to not only meet their obligations, but also build a culture of security that allows them to gain competitive edge through securing infrastructure and increase the credibility of marketing messages by safeguarding customer data.


SecureState consultants understand that the true cost of compliance is not achieving, but maintaining compliance. Compliance responsibilities many times fall on those that are overtaxed and have limited budgets and resources. SecureState’s consultants are experts in understanding both the technical and business aspects of your organization. They can help to operationalize and embed compliance requirements as a part of your daily culture. Additionally, as a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), our consultants have the knowledge and expertise required to assist your organization with PCI compliance, thereby reducing the overall risk to your organization.

Approach and Methodology

A PCI Gap Assessment is critical to understanding the environment as they relate to PCI compliance. However, assessments alone do not mitigate risk; they only identify it. SecureState’s approach maps out critical information processes and technical infrastructure to  determine where PCI controls have an impact on the business. Based on SecureState’s experience, very few clients maintain full compliance with PCI DSS 3.2 requirements. Additionally, as the organization evolves, business and customer demand require ease of use and cutting edge technology to drive efficiency. Legacy systems also pose a risk for mature environments. SecureState has outlined the most cost-effective approach to becoming PCI compliant. This approach will allow your organization to get the most value, and have the most options and flexibility, in meeting the goals of security and compliance.

Before SecureState comes onsite, we will introduce engagement participants and define roles and responsibilities. SecureState will help you define your engagement goals, review high level engagement activities with your key personnel and establish onsite timeframes. We will also ensure that your MyState collaborative portal has been set up for the secure transmission of documentation.

Once onsite, SecureState will document the PCI business process and supporting technologies and document the ways card holder data (CHD) is introduced into the environment. This allows us to identify data elements used when storing, processing, or transmitting CHD, identify where CHD is stored, processed, or transmitted, and map PCI processes to supporting technical infrastructure.

SecureState will then analyze your environment against PCI requirements. We will assess (where applicable) systems that store, process, or transmit CHD, document the existing controls used to protect CHD, and identify gaps against the PCI DSS 3.2 requirements. Additionally, SecureState consultants will help to identify areas where you can improve and streamline your compliance efforts, thereby, reducing your overall return on security investment while mitigating risk.

SecureState will prepare a detailed PCI Gap Assessment report, outlining tactical and strategic recommendations to mitigate identified control gaps SecureState will also provide a remediation plan, reducing time and effort ahead of your upcoming RoC assessment.


Get Started!